This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SarmChanatip
Participant
‎2021-05-12 03:00 AM

How to configure identity collecto to parse syslog message from Pulse Secure VPN

Hi Expert!

 

I would like to know if anyone here has ever configure identity collector to parse syslog message from Pulse Secure VPN.

If yes, Could you please kindly share some Syslog Parser Information, like screenshot below? 

syslog parser.jpg

I had ever test integration with AD, this is very simple to collect identity information. But recieving syslog message is different.

 

Thank you in advace. 

 

Regards,

Sarm

0 Kudos
6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-05-12 04:42 AM

Did you read this already ? https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
SarmChanatip
Participant
‎2021-05-19 05:15 AM
In response to G_W_Albrecht

Hi G_W_Albercht,

Sorry for late response.

Yes, I read it but I don't understand totally, I'm not sure which message subject that I supposed to put it and other attribute to field box.

Could you please give me some clue to complete this? Below is syslog messages that I received from Pulse Secure VPN

In my case, I want to get user01 with IP 192.168.100.2 (In this example here), to create a policy with Access Role on Firewall.

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021          10:46:31               Local0.Critical     10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189

0 Kudos
Markus_Laubheim
Explorer
‎2021-05-18 04:48 AM

Hello,

I have the same problem. If you have a solution, please send it here.

 

Best regards,

Markus

0 Kudos
SarmChanatip
Participant
‎2021-05-19 05:17 AM
In response to Markus_Laubheim

Hi Markus,

 

I'm still finding the solution, below is the syslog messages from Pulse Secure that I monitor on syslog server.

I'm not sure if this message is the same as your environment.

 

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021          10:46:31               Local0.Critical     10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189

0 Kudos
Scott_Paisley
Advisor
‎2022-04-27 09:20 AM
In response to Markus_Laubheim

Did anyone ever come up with a solution for this? We have a requirement to parse some logs from a PulseSecure appliance. We can parse a sample of logs in the tool, but when we install the parse file it breaks something.

0 Kudos
SarmChanatip
Participant
‎2022-04-27 09:41 PM
In response to Scott_Paisley

Hi Scott_Paisley

I already resolved the problem by parsing syslog from PulseSecure VPN as below screenshot and it worked fine on my lab.

idc syslog parser.jpg

10.x.x.189 PulseSecure: - - - 2021-06-15 00:39:31 - ive - [10.x.x.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.20, hostname xxx-xxx"

 

I also copy and paste each of the attributes here for your test purpose in your lab.

Message Subject*: (PulseSecure) with ticking RegEx checkbox

Event Type: Login

Delimeter*: \s

Username Prefix: \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\s

Username: (\w+)

Address Prefix: \s

Address*: IPv4\saddress\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events