This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Longson_Ho1
Contributor
‎2019-02-08 12:27 AM
Jump to solution

R80.20 Identity Collector Syslog Parser

Hi,


We are doing testing of R80.20 Identity Collector with Syslog Parser feature.

Is there any guide about how to create Syslog Parsers for Ruckus Zone Director (Version: 10.0.1.0 build 61) to get the identity information from login and logout event?

Thank you

0 Kudos
1 Solution

Accepted Solutions
Jesse
Contributor
‎2019-11-13 08:24 AM
Jump to solution

I have successfully created a syslog parser to pull the login and logoff messages from Cisco AnyConnect VPN sessions:

 

#Create a logging list on the Cisco ASA for the needed messages and send them to the IDC:

(config)# logging list MYLIST message 746012-746013

(config)# logging trap MYLIST

(config)# logging host inside [IP of server running the IDC]

 

#IDC Parser:

I called it "CiscoACUserId" but the name can be anything you want.

##Logins:

Message Subject: (.+Add\sIP)  **Check the box for Regex

Event Type: Login

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

##Logouts:

Click the * (asterisk) to add another message

Message Subject: (.+Delete\sIP)  **Check the box for Regex

Event Type: Logout

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

IDC1.pngIDC2.png

 

#IDC Identity Source:

Name: My Cisco ASA hostname

IP Address: My Cisco ASA IP address

Port: 514

Site: MySiteName where the ASA is located

Parser: CiscoACUserId (the one created above)

 

#Query Pools:

Edit your query pool and check the box for the new syslog Identity Source

 

#Filters:

If you're filtering things, be sure the IPs and/or usernames you expect to collect from the ASA are not filtered out. Otherwise nothing should be needed here.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2019-02-08 12:26 PM
Jump to solution

It looks the configuration is based on regular expressions.

You'd have to work out what they are based on the specific log entries.

See: Configuring Identity Collector 

0 Kudos
Markus_Hauke
Explorer
‎2019-10-12 06:01 AM
In response to PhoneBoy
Jump to solution

Hello,

 

I have a basic problem in understanding the syslog parsing scenario: I can configure an Identity Source of type syslog requiring an IP address and a port number (514). But: Is this the address of my syslog server containing for example the login data of my RADIUS infrastructure? How can the Collector connect to the syslog server remotely over the standard syslog port to READ messages? So far I thought that syslog is a one way protocol only receiving messages from remote.

Or am I wrong and the Identity Controller will spawn a new syslog server instance on that IP/port and I have to redirect my syslog messages directly to the Identity Controller?

The documentation does not really say anything about setting up the syslog parsing scenario.

 

Thank you for clarifying and best regards,

Markus

0 Kudos
Jesse
Contributor
‎2019-11-13 08:24 AM
Jump to solution

I have successfully created a syslog parser to pull the login and logoff messages from Cisco AnyConnect VPN sessions:

 

#Create a logging list on the Cisco ASA for the needed messages and send them to the IDC:

(config)# logging list MYLIST message 746012-746013

(config)# logging trap MYLIST

(config)# logging host inside [IP of server running the IDC]

 

#IDC Parser:

I called it "CiscoACUserId" but the name can be anything you want.

##Logins:

Message Subject: (.+Add\sIP)  **Check the box for Regex

Event Type: Login

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

##Logouts:

Click the * (asterisk) to add another message

Message Subject: (.+Delete\sIP)  **Check the box for Regex

Event Type: Logout

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

IDC1.pngIDC2.png

 

#IDC Identity Source:

Name: My Cisco ASA hostname

IP Address: My Cisco ASA IP address

Port: 514

Site: MySiteName where the ASA is located

Parser: CiscoACUserId (the one created above)

 

#Query Pools:

Edit your query pool and check the box for the new syslog Identity Source

 

#Filters:

If you're filtering things, be sure the IPs and/or usernames you expect to collect from the ASA are not filtered out. Otherwise nothing should be needed here.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events