- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi,
We are doing testing of R80.20 Identity Collector with Syslog Parser feature.
Is there any guide about how to create Syslog Parsers for Ruckus Zone Director (Version: 10.0.1.0 build 61) to get the identity information from login and logout event?
Thank you
It looks the configuration is based on regular expressions.
You'd have to work out what they are based on the specific log entries.
Hello,
I have a basic problem in understanding the syslog parsing scenario: I can configure an Identity Source of type syslog requiring an IP address and a port number (514). But: Is this the address of my syslog server containing for example the login data of my RADIUS infrastructure? How can the Collector connect to the syslog server remotely over the standard syslog port to READ messages? So far I thought that syslog is a one way protocol only receiving messages from remote.
Or am I wrong and the Identity Controller will spawn a new syslog server instance on that IP/port and I have to redirect my syslog messages directly to the Identity Controller?
The documentation does not really say anything about setting up the syslog parsing scenario.
Thank you for clarifying and best regards,
Markus
I have successfully created a syslog parser to pull the login and logoff messages from Cisco AnyConnect VPN sessions:
#Create a logging list on the Cisco ASA for the needed messages and send them to the IDC:
(config)# logging list MYLIST message 746012-746013
(config)# logging trap MYLIST
(config)# logging host inside [IP of server running the IDC]
#IDC Parser:
I called it "CiscoACUserId" but the name can be anything you want.
##Logins:
Message Subject: (.+Add\sIP) **Check the box for Regex
Event Type: Login
Delimiter: :
Username Prefix: \sLOCAL\\
Username: (\w+\.*\w*)
Address Prefix: User\smapping\s
Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
##Logouts:
Click the * (asterisk) to add another message
Message Subject: (.+Delete\sIP) **Check the box for Regex
Event Type: Logout
Delimiter: :
Username Prefix: \sLOCAL\\
Username: (\w+\.*\w*)
Address Prefix: User\smapping\s
Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
#IDC Identity Source:
Name: My Cisco ASA hostname
IP Address: My Cisco ASA IP address
Port: 514
Site: MySiteName where the ASA is located
Parser: CiscoACUserId (the one created above)
#Query Pools:
Edit your query pool and check the box for the new syslog Identity Source
#Filters:
If you're filtering things, be sure the IPs and/or usernames you expect to collect from the ASA are not filtered out. Otherwise nothing should be needed here.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY