Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SarmChanatip
Explorer

How to configure identity collecto to parse syslog message from Pulse Secure VPN

Hi Expert!

 

I would like to know if anyone here has ever configure identity collector to parse syslog message from Pulse Secure VPN.

If yes, Could you please kindly share some Syslog Parser Information, like screenshot below? 

syslog parser.jpg

I had ever test integration with AD, this is very simple to collect identity information. But recieving syslog message is different.

 

Thank you in advace. 

 

Regards,

Sarm

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

0 Kudos
SarmChanatip
Explorer

Hi G_W_Albercht,

Sorry for late response.

Yes, I read it but I don't understand totally, I'm not sure which message subject that I supposed to put it and other attribute to field box.

Could you please give me some clue to complete this? Below is syslog messages that I received from Pulse Secure VPN

In my case, I want to get user01 with IP 192.168.100.2 (In this example here), to create a policy with Access Role on Firewall.

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021          10:46:31               Local0.Critical     10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189

0 Kudos
Markus_Laubheim
Explorer

Hello,

I have the same problem. If you have a solution, please send it here.

 

Best regards,

Markus

0 Kudos
SarmChanatip
Explorer

Hi Markus,

 

I'm still finding the solution, below is the syslog messages from Pulse Secure that I monitor on syslog server.

I'm not sure if this message is the same as your environment.

 

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021          10:46:31               Local0.Critical     10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189

0 Kudos