Question
PA is configured to receive the UDP syslog messages via Cisco ASA anyconnect on its management interface.
Could see information coming from ASA. Still PA did not harvest user IP mapping from the logs.
Answer
1. Enable User-ID Syslog Listener-UDP on management interface and run the following command to see if the counters are increasing.
command : show user server-monitor state <name>
e.x : pas-pri-5020(active)> show user server-monitor state AnyConnect_test
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is disabled
Proxy: AnyConnect_test(vsys: vsys1) Host: AnyConnect_test(<IP>)
number of log messages : 853268
number of auth. success messages : 35
2. Configure a syslog parse profile with the following parameters.
Syslog Parse Profile : “Enter a name for the profile”
Type : Regex Identifier
Event Regex : “%ASA-4-722051:” NOTE : Do not include “”
Username Regex : User <([a-zA-Z0-9\\\._]+)+>
Address Regex : IPv4 Address <([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}+)+>
NOTE : This will fetch the private IP.
Inorder to fetch the Public IP change the Address Regex to the following :
Address Regex : IP <([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}+)+>
3. Check the User IP mapping using the following command :
show user ip-user-mapping all type SYSLOG
Smartnets 