Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Longson_Ho1
Contributor
Jump to solution

R80.20 Identity Collector Syslog Parser

Hi,


We are doing testing of R80.20 Identity Collector with Syslog Parser feature.

Is there any guide about how to create Syslog Parsers for Ruckus Zone Director (Version: 10.0.1.0 build 61) to get the identity information from login and logout event?

Thank you

0 Kudos
1 Solution

Accepted Solutions
Jesse
Contributor

I have successfully created a syslog parser to pull the login and logoff messages from Cisco AnyConnect VPN sessions:

 

#Create a logging list on the Cisco ASA for the needed messages and send them to the IDC:

(config)# logging list MYLIST message 746012-746013

(config)# logging trap MYLIST

(config)# logging host inside [IP of server running the IDC]

 

#IDC Parser:

I called it "CiscoACUserId" but the name can be anything you want.

##Logins:

Message Subject: (.+Add\sIP)  **Check the box for Regex

Event Type: Login

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

##Logouts:

Click the * (asterisk) to add another message

Message Subject: (.+Delete\sIP)  **Check the box for Regex

Event Type: Logout

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

IDC1.pngIDC2.png

 

#IDC Identity Source:

Name: My Cisco ASA hostname

IP Address: My Cisco ASA IP address

Port: 514

Site: MySiteName where the ASA is located

Parser: CiscoACUserId (the one created above)

 

#Query Pools:

Edit your query pool and check the box for the new syslog Identity Source

 

#Filters:

If you're filtering things, be sure the IPs and/or usernames you expect to collect from the ASA are not filtered out. Otherwise nothing should be needed here.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin

It looks the configuration is based on regular expressions.

You'd have to work out what they are based on the specific log entries.

See: Configuring Identity Collector 

0 Kudos
Markus_Hauke
Explorer

Hello,

 

I have a basic problem in understanding the syslog parsing scenario: I can configure an Identity Source of type syslog requiring an IP address and a port number (514). But: Is this the address of my syslog server containing for example the login data of my RADIUS infrastructure? How can the Collector connect to the syslog server remotely over the standard syslog port to READ messages? So far I thought that syslog is a one way protocol only receiving messages from remote.

Or am I wrong and the Identity Controller will spawn a new syslog server instance on that IP/port and I have to redirect my syslog messages directly to the Identity Controller?

The documentation does not really say anything about setting up the syslog parsing scenario.

 

Thank you for clarifying and best regards,

Markus

0 Kudos
Jesse
Contributor

I have successfully created a syslog parser to pull the login and logoff messages from Cisco AnyConnect VPN sessions:

 

#Create a logging list on the Cisco ASA for the needed messages and send them to the IDC:

(config)# logging list MYLIST message 746012-746013

(config)# logging trap MYLIST

(config)# logging host inside [IP of server running the IDC]

 

#IDC Parser:

I called it "CiscoACUserId" but the name can be anything you want.

##Logins:

Message Subject: (.+Add\sIP)  **Check the box for Regex

Event Type: Login

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

##Logouts:

Click the * (asterisk) to add another message

Message Subject: (.+Delete\sIP)  **Check the box for Regex

Event Type: Logout

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

IDC1.pngIDC2.png

 

#IDC Identity Source:

Name: My Cisco ASA hostname

IP Address: My Cisco ASA IP address

Port: 514

Site: MySiteName where the ASA is located

Parser: CiscoACUserId (the one created above)

 

#Query Pools:

Edit your query pool and check the box for the new syslog Identity Source

 

#Filters:

If you're filtering things, be sure the IPs and/or usernames you expect to collect from the ASA are not filtered out. Otherwise nothing should be needed here.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events