Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SarmChanatip
Participant

How to configure identity collecto to parse syslog message from Pulse Secure VPN

Hi Expert!

 

I would like to know if anyone here has ever configure identity collector to parse syslog message from Pulse Secure VPN.

If yes, Could you please kindly share some Syslog Parser Information, like screenshot below? 

syslog parser.jpg

I had ever test integration with AD, this is very simple to collect identity information. But recieving syslog message is different.

 

Thank you in advace. 

 

Regards,

Sarm

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend

Did you read this already ? https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
SarmChanatip
Participant

Hi G_W_Albercht,

Sorry for late response.

Yes, I read it but I don't understand totally, I'm not sure which message subject that I supposed to put it and other attribute to field box.

Could you please give me some clue to complete this? Below is syslog messages that I received from Pulse Secure VPN

In my case, I want to get user01 with IP 192.168.100.2 (In this example here), to create a policy with Access Role on Firewall.

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021          10:46:31               Local0.Critical     10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189

0 Kudos
Markus_Laubheim
Explorer

Hello,

I have the same problem. If you have a solution, please send it here.

 

Best regards,

Markus

0 Kudos
SarmChanatip
Participant

Hi Markus,

 

I'm still finding the solution, below is the syslog messages from Pulse Secure that I monitor on syslog server.

I'm not sure if this message is the same as your environment.

 

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Key Exchange number 1 occurred for user with NCIP 192.168.100.2

05-17-2021          10:46:37               Local0.Info          10.4.117.179       1 2021-05-16T20:44:44-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:44 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with ESP transport mode.

05-17-2021          10:46:31               Local0.Critical     10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - Number of concurrent users (2) exceeded the system limit (2).

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: User with IP 192.168.100.2 connected with SSL transport mode.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.2, hostname BAY-CLIENT

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [127.0.0.1] System()[] - VPN Tunneling: ACL count = 2.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[RoleNC] - Agent login succeeded for user01/Realm-NC (session:00000000) from 10.4.117.189 with Pulse-Secure/9.1.11.8575 (Windows 10) Pulse/9.1.11.8575.

05-17-2021          10:46:31               Local0.Info          10.4.117.179       1 2021-05-16T20:44:38-07:00 10.4.117.179 PulseSecure: - - - 2021-05-16 20:44:38 - ive - [10.4.117.189] user01(Realm-NC)[] - Primary authentication successful for user01/System Local from 10.4.117.189

0 Kudos
Scott_Paisley
Advisor

Did anyone ever come up with a solution for this? We have a requirement to parse some logs from a PulseSecure appliance. We can parse a sample of logs in the tool, but when we install the parse file it breaks something.

0 Kudos
SarmChanatip
Participant

Hi Scott_Paisley

I already resolved the problem by parsing syslog from PulseSecure VPN as below screenshot and it worked fine on my lab.

idc syslog parser.jpg

10.x.x.189 PulseSecure: - - - 2021-06-15 00:39:31 - ive - [10.x.x.189] user01(Realm-NC)[RoleNC] - VPN Tunneling: Session started for user with IPv4 address 192.168.100.20, hostname xxx-xxx"

 

I also copy and paste each of the attributes here for your test purpose in your lab.

Message Subject*: (PulseSecure) with ticking RegEx checkbox

Event Type: Login

Delimeter*: \s

Username Prefix: \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\s

Username: (\w+)

Address Prefix: \s

Address*: IPv4\saddress\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events