topic Re: How to configure identity collecto to parse syslog message from Pulse Secure VPN in Firewall and Security Management

How to configure identity collecto to parse syslog message from Pulse Secure VPN

SarmChanatip — Wed, 12 May 2021 10:00:27 GMT

Hi Expert!

I would like to know if anyone here has ever configure identity collector to parse syslog message from Pulse Secure VPN.

If yes, Could you please kindly share some Syslog Parser Information, like screenshot below?

I had ever test integration with AD, this is very simple to collect identity information. But recieving syslog message is different.

Thank you in advace.

Regards,

Sarm

Re: How to configure identity collecto to parse syslog message from Pulse Secure VPN

G_W_Albrecht — Wed, 12 May 2021 11:42:25 GMT

Did you read this already ? https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Configuring-Identity-Collector-to-Parse-Syslog-Messages.htm?Highlight=syslog

Re: How to configure identity collecto to parse syslog message from Pulse Secure VPN

Markus_Laubheim — Tue, 18 May 2021 11:48:39 GMT

Hello,

I have the same problem. If you have a solution, please send it here.

Best regards,

Markus

Re: How to configure identity collecto to parse syslog message from Pulse Secure VPN

SarmChanatip — Wed, 19 May 2021 12:15:11 GMT

Hi G_W_Albercht,

Sorry for late response.

Yes, I read it but I don't understand totally, I'm not sure which message subject that I supposed to put it and other attribute to field box.

Could you please give me some clue to complete this? Below is syslog messages that I received from Pulse Secure VPN

In my case, I want to get user01 with IP 192.168.100.2 (In this example here), to create a policy with Access Role on Firewall.

05-17-2021 10:46:37 Local0.Info 10.4.117.179 1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2

05-17-2021 10:46:37 Local0.Info 10.4.117.179 1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021 10:46:31 Local0.Critical 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189

Re: How to configure identity collecto to parse syslog message from Pulse Secure VPN

SarmChanatip — Wed, 19 May 2021 12:17:11 GMT

Hi Markus,

I'm still finding the solution, below is the syslog messages from Pulse Secure that I monitor on syslog server.

I'm not sure if this message is the same as your environment.

05-17-2021 10:46:37 Local0.Info 10.4.117.179 1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

Re: How to configure identity collecto to parse syslog message from Pulse Secure VPN

Scott_Paisley — Wed, 27 Apr 2022 16:20:33 GMT

Did anyone ever come up with a solution for this? We have a requirement to parse some logs from a PulseSecure appliance. We can parse a sample of logs in the tool, but when we install the parse file it breaks something.

Re: How to configure identity collecto to parse syslog message from Pulse Secure VPN

SarmChanatip — Thu, 28 Apr 2022 04:53:07 GMT

Hi Scott_Paisley

I already resolved the problem by parsing syslog from PulseSecure VPN as below screenshot and it worked fine on my lab.

10.x.x.189 PulseSecure: - - - 2021-06-15 00:39:31 - ive - [10.x.x.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.20, hostname xxx-xxx"

I also copy and paste each of the attributes here for your test purpose in your lab.

Message Subject*: (PulseSecure) with ticking RegEx checkbox

Event Type: Login

Delimeter*: \s

Username Prefix: \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\s

Username: (\w+)

Address Prefix: \s

Address*: IPv4\saddress\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})