This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

vSZ syslogs missing client IP address

nickzourdos
Contributor

‎04-01-2019 08:00 AM

We are running into an issue on our vSZ (v5.1.0.0.496) with the clientAuthorization and clientJoin syslogs. Neither of these syslogs contain the clientIP field, which is a problem for customers with security appliances that depend on these syslogs to tie usernames to wireless clients. Strangely, the clientDisconnect syslog does include the clientIP field. 

Is there a way to enable this feature? ZoneDirector syslogs include a field for "sta_ip", which is what we've been using in the past (see THIS thread for context on ZD syslogs in this scenario). The vSZ syslogs are in a completely different format, which is fine, but they are missing this critical information. Here is my vSZ configuration for reference:

Image_ images_messages_5f91c401135b77e247914f4e_f2c093193ba3fb105226208ee548156e_RackMultipart20190401677842k3u-70e1ba96-c840-43d2-ab40-3031e444beb1-709758273.png1554130312
16 REPLIES 16

thomas_kranzler
New Contributor

‎09-18-2019 09:28 PM

Would you mind sharing your regex expressions? i can't seem to get mine to map correctly.
0 Kudos

ict_corpus_chri
New Contributor II

‎01-09-2020 06:52 PM

I have been in contact with Ruckus who have now fixed the syslog bug so it works correctly!

The Palo Alto regex I am using is the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Syslog Filters
Type: Regex Identifier
Event Regex: (?=.*clientInfoUpdate)(.*"ssid"="YourWirelessSSID")(.*"clientIP"=")
Username Regex: "userName"="([a-zA-Z0-9.\-\_\\]+)
Address Regex: "clientIP"="(\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b)

You can also remove the requirements for a specific SSID you can use the following,
Event Regex: (?=.*clientInfoUpdate)(.*"clientIP"=")

Dont forget to turn on "Allow matching usernames without domains" for the Palo Alto to allow it to digest logins without the domain if you use RADIUS for auth.
on the Palo Alto you turn on the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Cache > Allow matching usernames without domains(tick box)

Server Monitor also needs to be setup,
Add the Device > User Identification > Server Monitor
Type: Syslog Sender
Network Address: IP of the SmartZone controller
Connection: UDP
Add the Ruckus Regex under "Syslog Parse Profile"


The SmartZone Controller has the following settings,
System > General Settings > Syslog
Enable Syslog
Primary Syslog: Palo Alto Management interface IP(the default for user auth)
Port: 514
Protocol: UDP

Event Filter: All Events above a severity
Event Filter Severity: Informational
0 Kudos
Copyright © 2024 Khoros, LLC