Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Syslog format Aruba instant

This thread has been viewed 7 times

  • 1.  Syslog format Aruba instant

    Posted Dec 01, 2014 03:19 AM

    Hello,

     

    I have a question regarding the syslog format which the Aruba instant OS sends. Below a sample: 

     

    11-28-2014 09:18:46 Local1.Notice 10.54.1.33 Nov 28 08:18:45 2014 10.54.1.33 stm[1515]: <501199> <NOTI> <10.54.1.33 24:DE:C6:C4:EE:72>  User authenticated, mac-34:e2:fd:65:83:74, username-jbrouwer@pj.nl, IP-10.244.0.14, method-4, role-Educatie

     

    Is it possible to change the format so the , sign can be removed from the log? I am trying to configure a Palo Alto user ID agent as a sysloglistener for user to IP mapping but it sees the IP format with the , behind the IP as an invalid IP address.

     

    Regards,

     

    Joost Brouwer



  • 2.  RE: Syslog format Aruba instant

    EMPLOYEE
    Posted Dec 01, 2014 04:01 AM

    Joost,

     

    Please look at the article here:  http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#UG_files/Services/panFirewallInt.htm and let us know if that is the integration you need.

     

    I am not sure that the comma can be removed from the syslog output.

     

     



  • 3.  RE: Syslog format Aruba instant

    Posted Dec 02, 2014 05:18 AM

    Hello Colin,

     

    Thanx for your reply. That is an option I have tried. I can see in the system log that the IAP log's in to the Palo Alto FW but I dont see any user to IP mappings in the traffic log.



  • 4.  RE: Syslog format Aruba instant

    EMPLOYEE
    Posted Dec 02, 2014 06:32 AM

    jstbrouwer,

     

    What version of the Palo Alto software and what version of Aruba Instant are you running?  If it does not work, we need to engage TAC.



  • 5.  RE: Syslog format Aruba instant

    Posted Dec 02, 2014 06:51 AM

    Hi Colin,

     

    InstantOS: 6.4.2.0-4.1.1.0_46028

    PANOS: 6.0.6



  • 6.  RE: Syslog format Aruba instant

    EMPLOYEE
    Posted Dec 02, 2014 06:59 AM
    Do you have User-ID enabled?


  • 7.  RE: Syslog format Aruba instant

    Posted Dec 02, 2014 07:04 AM

    No I don't have User-ID enabled because there is no option for InstantOS in the syslogsender option. How should I configure User-ID otherwise? thanks in advance



  • 8.  RE: Syslog format Aruba instant

    EMPLOYEE
    Posted Dec 02, 2014 07:05 AM
    In the Palo


  • 9.  RE: Syslog format Aruba instant

    EMPLOYEE
    Posted Dec 02, 2014 07:00 AM

    jstbrouwer,

     

    Do your users login with just "username" or "domain\username"?

     

     



  • 10.  RE: Syslog format Aruba instant

    Posted Dec 02, 2014 07:05 AM

    Users login with username@domain.nl using Radius.



  • 11.  RE: Syslog format Aruba instant

    EMPLOYEE
    Posted Dec 02, 2014 07:20 AM
    @jstbrouwer wrote:

    Users login with username@domain.nl using Radius.

    jstbrouwer,

     

    Please see if the usernames are being sent by using the "show ap debug pan-sent" command on the Instant commandline to see if any username information is being sent...



  • 12.  RE: Syslog format Aruba instant

    Posted Dec 02, 2014 08:22 AM

    Hello Colin,

     

    The user-id's are sent. To test I changed the login of my personal device to the domain\username format. Now I get the user to IP mapping in the trafic log. Any idea if the format user@domain is supported?



  • 13.  RE: Syslog format Aruba instant
    Best Answer

    EMPLOYEE
    Posted Dec 02, 2014 08:29 AM

    jstbrouwer,

     

    I think that is a restriction of Pan OS.  If you don’t send the DOMAIN prefix then the PAN can’t make the policy enforcement you require based up on the AD group membership.