topic Re: vSZ syslogs missing client IP address in SmartZone and Virtual SmartZone

vSZ syslogs missing client IP address

nickzourdos — Mon, 01 Apr 2019 15:00:38 GMT

We are running into an issue on our vSZ (v5.1.0.0.496) with the clientAuthorization and clientJoin syslogs. Neither of these syslogs contain the clientIP field, which is a problem for customers with security appliances that depend on these syslogs to tie usernames to wireless clients. Strangely, the clientDisconnect syslog does include the clientIP field.

Is there a way to enable this feature? ZoneDirector syslogs include a field for "sta_ip", which is what we've been using in the past (see THIS thread for context on ZD syslogs in this scenario). The vSZ syslogs are in a completely different format, which is fine, but they are missing this critical information. Here is my vSZ configuration for reference:

Re: vSZ syslogs missing client IP address

pasquale_monard — Mon, 01 Apr 2019 15:13:30 GMT

Hi Nick,

The alarms and events guide posted on the support site for SmartZone mentions the following for ClientAuth and ClientJoin -> "clientIP" .So it should be there.

Severity must be informational but I believer yours is set to emergency.

Re: vSZ syslogs missing client IP address

nickzourdos — Mon, 01 Apr 2019 15:36:53 GMT

We are receiving the clientJoin syslogs with the current configuration, aren't those sent as part of the "Event Facility" and "Event Filter" settings? I intentionally set the "Application", "Administrator", and "Other" settings to the highest level in order to avoid overrunning our syslog server. Does one of these need to be set to Info in order for the clientIP field to appear?

Re: vSZ syslogs missing client IP address

nickzourdos — Fri, 12 Apr 2019 16:01:09 GMT

Word of warning to anyone else who is looking for this feature: It is not supported in SmartZone (as of v5.1.0) if you are using 802.1x authentication. Client IP addresses are only included in the clientJoin and clientAuthorization syslogs if you use Open or Web Portal authentication. If you are currently relying on these logs from your ZoneDirector to be exported to your Palo/Meraki/etc. appliances, you will be disappointed if you move to SmartZone. There is an open feature request for this issue (FR-3031). This will NEED to be addressed before the ZoneDirector platform is retired.

The underlying problem is that SmartZone sends the clientJoin (after the client is client associated) and clientAuthorized (after the client is authenticated) syslogs, but does not send any syslogs after the client receives an IP address and “officially joins” the controller. Since there is no IP for a client during the association/authorization process, it makes sense that these syslogs are missing that information. The difference with ZoneDirector is that it doesn’t send these detailed syslogs, but instead sends a single “Operational Add” log that summarizes when a client is added to the controller’s client database, which happens after the client obtains an IP. This seems like a large feature gap that needs to be addressed.

The SmartZone Alarm and Event Reference Guide is misleading at best, since it indicates that the clientIP attribute should be included in the clientJoin and clientAuthorization syslogs (page 225 and 227). It does not specify that this is only achievable using Open/Web Portal authentication.

Re: vSZ syslogs missing client IP address

stephen_hall_60 — Fri, 12 Apr 2019 19:20:42 GMT

Thanks for this info nick, that is good to know/be aware of before hand. And i agree this is almost a requirement to be added.

I think alot more work needs to be done to vsz syslog data/output - (and standalone syslogs for that matter). most in the know, use remote syslogs, so the data needs to be detailed and complete (and often can be behind a nat / masq rule, so dont count on src IP IDing the source). this, and / or ruk needs to allow the customer more syslog options or flexibility. as an extreme/awesome case, on our axis ip cameras, axis allows advanced customers direct access to the rsyslog.conf file, so the sky is the limit! They ofcourse dont suggest you edit this, and if you do, they will not support anything related to syslog after edits. but the option is there.)
tks

Re: vSZ syslogs missing client IP address

jeff_baublitz_7 — Thu, 08 Aug 2019 22:35:04 GMT

We too need this badly.. Hope Ruckus has an update soon...

Re: vSZ syslogs missing client IP address

nickzourdos — Fri, 09 Aug 2019 13:13:58 GMT

This feature is now available as an AP patch, and it should be included in the next major release of SmartZone. You may want to ask support if they can get you the patch, you can reference my case# 00914107.

Re: vSZ syslogs missing client IP address

jeff_baublitz_7 — Tue, 20 Aug 2019 15:40:50 GMT

Thank you, asking right now. I'll update when I hear back.

Re: vSZ syslogs missing client IP address

jeff_baublitz_7 — Tue, 03 Sep 2019 20:37:54 GMT

Support confirms this will be addressed in 5.1.2.X. I'll be updating in a month when this is available. Thanks again!

Re: vSZ syslogs missing client IP address

thomas_kranzler — Thu, 19 Sep 2019 04:10:42 GMT

Would you mind sharing your regex expressions? i can't seem to get mine to map correctly.

Re: vSZ syslogs missing client IP address

andrew_giancol1 — Thu, 19 Sep 2019 04:25:47 GMT

Yeah, but the impact to one camera isn't the same as a controller which may be hosting 10's of thousands of APs. Mess with a single Axis, and you lose perhaps a single camera as Axis give all customers access to nearly all CONF files on the unit.
In our org, we use both Axis cameras (several hundred units) and Ruckus (several thousand units.), and I've got my issues with Axis. P1428's and their penchant for rebooting constantly, image ghosting looks which give my surveillance videos a somewhat RETRO FUTURE type vibe. I've got a few Q3708's and Axis has NEVER been able to fix my issue with camera 1 going black and white suddenly.
As for logs, does change the log you need to Debug help? it's helped us.
Sorry for the rant, I'm up late dealing with an AXIS camera issue as we speak!

Re: vSZ syslogs missing client IP address

thomas_kranzler — Thu, 19 Sep 2019 04:28:07 GMT

Would you mind sharing your regex expressions? i can't seem to get mine to map correctly.

Re: vSZ syslogs missing client IP address

andrew_giancol1 — Thu, 19 Sep 2019 04:43:00 GMT

/[^\d.]60:f8:1d:c2:53:6e/
This is the mac address of my mac book pro. Hope the syntax helps you!

Re: vSZ syslogs missing client IP address

thomas_kranzler — Thu, 19 Sep 2019 04:50:27 GMT

A little.

here's an exert from the vscg syslogs:

2019-09-18 21:32:10 Local0.Info 10.250.10.230 Sep 19 04:32:10 RuckusController1 Core: User[bob] disconnects from WLAN[STAFF] at AP[WAP1] with session data(Client Mac[someMac],Client IP[10.250.24.11],OS Type[iOS],Host Name[pickles],BSSID[some BSSID],User Name[bob],VLAN[24],Encryption[WPA2-AES],Association Time[01 01 00:00:00 1970],Disconnect Reason[client Disconnect],Session Duration[75s],Bytes to User[6679],Bytes from User [21624],RSSI[35],SNR[-70],Client Radio[a/n/ac],AP Location[],AP GPS[])

Here are the PAN settings I'm using:

Event Regex disconnects

Username Regex User\ Name([[a-zA-Z0-9\\\._]+])

Address Regex Client\ IP([[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])

looks good in https://regex101.com/ , but the PAN doesn't seem to parse the logs

Re: vSZ syslogs missing client IP address

andrew_giancol1 — Thu, 19 Sep 2019 06:45:36 GMT

Ahh. so you're not getting the Drop codes 75 seconds from "I'm on the wifi! to "I'm leaving the wifi" is suspect. . Anything fresh from the AP logs directly? Have you grabbed Wireshark Pcaps from the ap? I know your issue is with Syslogs and their lack of verbosity, but I feel like there are some ways around this. Pcap is a great way to find this. Post your Pcap, (Filtering for your mac address of course!) and I'm SURE one of us can figure out the connection issue!
Also, PAN settings? Are you logging to Panorama?

Re: vSZ syslogs missing client IP address

andrew_giancol1 — Thu, 19 Sep 2019 06:46:58 GMT

Also, if you happen to be using a OSX box, the program named CONSOLE can be your friend. as you don't need REGEX to find / filter through AP logs.

Re: vSZ syslogs missing client IP address

ict_corpus_chri — Fri, 10 Jan 2020 02:52:42 GMT

I have been in contact with Ruckus who have now fixed the syslog bug so it works correctly!

The Palo Alto regex I am using is the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Syslog Filters
Type: Regex Identifier
Event Regex: (?=.*clientInfoUpdate)(.*"ssid"="YourWirelessSSID")(.*"clientIP"=")
Username Regex: "userName"="([a-zA-Z0-9.\-\_\\]+)
Address Regex: "clientIP"="(\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b)

You can also remove the requirements for a specific SSID you can use the following,
Event Regex: (?=.*clientInfoUpdate)(.*"clientIP"=")

Dont forget to turn on "Allow matching usernames without domains" for the Palo Alto to allow it to digest logins without the domain if you use RADIUS for auth.
on the Palo Alto you turn on the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Cache > Allow matching usernames without domains(tick box)

Server Monitor also needs to be setup,
Add the Device > User Identification > Server Monitor
Type: Syslog Sender
Network Address: IP of the SmartZone controller
Connection: UDP
Add the Ruckus Regex under "Syslog Parse Profile"

The SmartZone Controller has the following settings,
System > General Settings > Syslog
Enable Syslog
Primary Syslog: Palo Alto Management interface IP(the default for user auth)
Port: 514
Protocol: UDP

Event Filter: All Events above a severity
Event Filter Severity: Informational