AAA, NAC, Guest Access & BYOD

Unable to parse ingress events received from Palo Alto for specific syslog format

Aruba Employee
Problem:

Unable to parse ingress events received from Palo Alto for below syslog format:

 

 <14>1 2016-12-26T13:30:01-04:00 cppmserver.aruba - - - -  1,2016/12/26 13:30:00,001901000698,TRAFFIC,start,1,2016/09/26 13:30:00,107.21.163.40,158.136.1.77,0.0.0.0,0.0.0.0,allow outside to revproxy,,,web-browsing,vsys1,outside,1 Net-Servers,ethernet1/22,ethernet1/23.2,CPPM,2016/09/26 13:30:00,33722999,1,36486,80,0,0,0x0,tcp,allow,587,521,66,4,2016/09/26 13:30:01,0,any,0,67898961549,0x0,IN,IN,0,3,1,n/a

<14>1 2016-12-26T13:30:01-04:00 cppmserver.aruba - - - -  1,2016/12/26 13:30:00,001901000698,TRAFFIC,end,1,2016/09/26 13:30:00,76.179.62.80,158.136.1.77,0.0.0.0,0.0.0.0,allow outside to revproxy,,,web-browsing,vsys1,outside,1 Net-Servers,ethernet1/22,ethernet1/23.2,CPPM,2016/09/26 13:30:00,374411,1,63047,80,0,0,0x1c,tcp,allow,51626,5061,46565,71,2016/09/26 13:29:09,49,any,0,67898961658,0x0,IN,IN,0,32,39,tcp-fin

 



Diagnostics:

igesyslog.log indicates the syslog traffic received from firewall, in this case Palo Alto with below syslog format:

 <14>1 2016-12-26T13:30:01-04:00 cppmserver.aruba - - - -  1,2016/12/26 13:30:00,001901000698,TRAFFIC,start,1,2016/09/26 13:30:00,107.21.163.40,158.136.1.77,0.0.0.0,0.0.0.0,allow outside to revproxy,,,web-browsing,vsys1,outside,1 Net-Servers,ethernet1/22,ethernet1/23.2,CPPM,2016/09/26 13:30:00,33722999,1,36486,80,0,0,0x0,tcp,allow,587,521,66,4,2016/09/26 13:30:01,0,any,0,67898961549,0x0,IN,IN,0,3,1,n/a

<14>1 2016-12-26T13:30:01-04:00 cppmserver.aruba - - - -  1,2016/12/26 13:30:00,001901000698,TRAFFIC,end,1,2016/09/26 13:30:00,76.179.62.80,158.136.1.77,0.0.0.0,0.0.0.0,allow outside to revproxy,,,web-browsing,vsys1,outside,1 Net-Servers,ethernet1/22,ethernet1/23.2,CPPM,2016/09/26 13:30:00,374411,1,63047,80,0,0,0x1c,tcp,allow,51626,5061,46565,71,2016/09/26 13:29:09,49,any,0,67898961658,0x0,IN,IN,0,32,39,tcp-fin


igesyslog.log file can be checked by downloading the clearpass server log from Administration->Server Manager->Server Configuration. Click on Collect Logs as shown below


Once downloaded extract the server logs. Navigate to policy manager folder->async-netd folder and you will see a log file called igesyslog.log


Clearpass then queries logstash to format the syslog event received from Palo Alto. For the above format using the default Ingress dictionary available for Palo Alto, Clearpass was unable to parse/format the syslog message as shown below:

The formatted /parsed output can be viewed from ingressproc.log file located in the same folder as that of igesyslog.log.

From ingressproc.log, below are few examples where query is done to logstash but do not see the parsed output:

2016/12/26 13:35:59 DEBUG Read record count = 0
2016/12/26 13:35:59 DEBUG IGSEvent request count = 0
2016/12/26 13:35:59 DEBUG Pre-purge size of ProcessedEvents = 0
2016/12/26 13:35:59 DEBUG Post-purge size of ProcessedEvents = 0
2016/12/26 13:36:09 DEBUG Executing query url=http://localhost:9200/logstash-*/_search?pretty=true|filter={"filter":{"range":{"@timestamp":{"gte":"1476283369731","lte":"1476283679732"}}},"sort":{"@timestamp":{"order":"asc"}}}
2016/12/26 13:36:09 DEBUG Response Body={
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 15,
    "successful" : 15,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}
2016/12/26 13:36:09 DEBUG Read record count = 0
2016/12/26 13:36:09 DEBUG IGSEvent request count = 0
2016/12/26 13:36:19 DEBUG Executing query url=http://localhost:9200/logstash-*/_search?pretty=true|filter={"filter":{"range":{"@timestamp":{"gte":"1476283379732","lte":"1476283689734"}}},"sort":{"@timestamp":{"order":"asc"}}}
2016/12/26 13:36:19 DEBUG Response Body={
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 15,
    "successful" : 15,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

From access tracker, we can see that since the syslog format cannot be parsed, the computed attributes do not get populated.

Request Details Summary -
Session Identifier: E-147731765266-4435436870349621280
Date and Time: Dec 26, 2016 13:38:07 IST
Username: 
 End-Host Identifier: -
Access Device IP/Port: -
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: PA Threat Detection
Authentication Method: 
 Authentication Source: 
 Authorization Source: 
 Roles: 
 Enforcement Profiles: Palo Alto threat enforcement
Service Monitor Mode: Enabled

Input Computed Attributes -
Authentication:Username = 
 ConnectionSmiley Tonguerotocol = Event
DateSmiley Very Happyate-Time = 2016-12-26 13:38:07
Event:Username = 
 TipsSmiley Frustratedervice = Palo Alto threat detection

 



Solution

In order to ensure the above syslog format from Palo Alto is parsed, the Ingress dictionary for Palo Alto needs to be modified. The default Ingress dictionary for Palo Alto needs to be disabled and the  attached new ingress dictionary for inbound and outbound needs to be imported and enabled along with the service.


Attachments:
IEE DIctionaries PANW_Threat_AF.zip
Version history
Revision #:
2 of 2
Last update:
‎03-17-2017 05:12 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: