- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- How to configure identity collecto to parse syslog...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure identity collecto to parse syslog message from Pulse Secure VPN
Hi Expert!
I would like to know if anyone here has ever configure identity collector to parse syslog message from Pulse Secure VPN.
If yes, Could you please kindly share some Syslog Parser Information, like screenshot below?
I had ever test integration with AD, this is very simple to collect identity information. But recieving syslog message is different.
Thank you in advace.
Regards,
Sarm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you read this already ? https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi G_W_Albercht,
Sorry for late response.
Yes, I read it but I don't understand totally, I'm not sure which message subject that I supposed to put it and other attribute to field box.
Could you please give me some clue to complete this? Below is syslog messages that I received from Pulse Secure VPN
In my case, I want to get user01 with IP 192.168.100.2 (In this example here), to create a policy with Access Role on Firewall.
05-17-2021 10:46:37 Local0.Info 10.4.117.179 1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2
05-17-2021 10:46:37 Local0.Info 10.4.117.179 1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.
05-17-2021 10:46:31 Local0.Critical 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have the same problem. If you have a solution, please send it here.
Best regards,
Markus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Markus,
I'm still finding the solution, below is the syslog messages from Pulse Secure that I monitor on syslog server.
I'm not sure if this message is the same as your environment.
05-17-2021 10:46:37 Local0.Info 10.4.117.179 1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2
05-17-2021 10:46:37 Local0.Info 10.4.117.179 1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.
05-17-2021 10:46:31 Local0.Critical 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.
05-17-2021 10:46:31 Local0.Info 10.4.117.179 1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did anyone ever come up with a solution for this? We have a requirement to parse some logs from a PulseSecure appliance. We can parse a sample of logs in the tool, but when we install the parse file it breaks something.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Scott_Paisley
I already resolved the problem by parsing syslog from PulseSecure VPN as below screenshot and it worked fine on my lab.
10.x.x.189 PulseSecure: - - - 2021-06-15 00:39:31 - ive - [10.x.x.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.20, hostname xxx-xxx"
I also copy and paste each of the attributes here for your test purpose in your lab.
Message Subject*: (PulseSecure) with ticking RegEx checkbox
Event Type: Login
Delimeter*: \s
Username Prefix: \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\s
Username: (\w+)
Address Prefix: \s
Address*: IPv4\saddress\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
