Windows NPS + NXlog to Palo Alto User-ID

[et_pb_section admin_label=”section”]
[et_pb_row admin_label=”row”]
[et_pb_column type=”4_4″][et_pb_text admin_label=”Text”]NXlog configuration file

Configure Palo Alto to accept User-ID Syslog

Device -> Setup -> Interfaces -> Management

or if you have network profile Network -> Interface Mgmt.

Add syslog filter profile.

Device -> User identification -> Click gear on the right side of “Palo Alto Networks User-ID Agent Setup” -> Syslog Filters

Add new filter

Check "Regex Identifier"
Event Regex: ("Acct-Status-Type":"1"){1}
Username Regex: "User-Name":"([a-zA-Z0-9\\\._\-]+)"
Address Regex: "Framed-IP-Address":"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"

Disconnect event

Check "Regex Identifier"
Event Regex: ("Acct-Status-Type":"2"){1}
Username Regex: "User-Name":"([a-zA-Z0-9\\\._\-]+)"
Address Regex: "Framed-IP-Address":"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"

Save and close. Go to Device -> User Identification -> Section “Server Monitoring”. Click add new
Fill name, network address of NXlog server, type “Syslog Sender”.
Choose “NXlog-Connect” for login and “Disconnect for logout”.
Set default domain name for your domain.

You should be able to see user-id events in User-ID section

[/et_pb_text][/et_pb_column]
[/et_pb_row]
[/et_pb_section]

Leave a Reply

Your email address will not be published. Required fields are marked *