Windows NPS + NXlog to Palo Alto User-ID

Andrew CheremisovUncategorizedLeave a Comment

NXlog configuration file Configure Palo Alto to accept User-ID Syslog Device -> Setup -> Interfaces -> Management or if you have network profile Network -> Interface Mgmt. Add syslog filter profile. Device -> User identification -> Click gear on the right side of “Palo Alto Networks User-ID Agent Setup” -> Syslog Filters Add new filter Check “Regex Identifier” Event Regex: (“Acct-Status-Type”:”1″){1} Username Regex: “User-Name”:”([a-zA-Z0-9\\\._\-]+)” Address Regex: “Framed-IP-Address”:”([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})” Disconnect event Check “Regex Identifier” Event Regex: (“Acct-Status-Type”:”2″){1} Username Regex: “User-Name”:”([a-zA-Z0-9\\\._\-]+)” Address Regex: “Framed-IP-Address”:”([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})” Save and close. Go to Device -> User Identification -> Section “Server Monitoring”. Click add … Read More