Identity Collector - Working with Syslog Messages

Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312. can receive and process Syslog messages that contain identity information.

Identity Collector can use these syslog messages as an additional identity source for the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway.

Important - Make sure your network and the Windows Server Firewall allow the incoming Syslog traffic on the Identity Collector computer. By default, Syslog traffic uses UDP port 514.

To configure the Identity Collector to work with Syslog messages:

  1. Create a new Syslog Parser.

    1. Open the Identity Collector application.

    2. From the top toolbar, click Syslog Parsers.

    3. Click New Parser.

    4. Enter the Syslog Parser information.

      • Object Name - Enter the Syslog Parser name to show in the Identity Collector.

      • (Optional) Enter your comment.

      • Message Subject - The beginning of a log of the event.

        Select Regex option, if the Message Subject is a regular expression.

      • Event Type - Select Login, or Logout.

      • Delimiter - A character that separates all the fields.

      • Username Prefix - The prefix of a username attribute. It is a sequence of characters, which precedes the username value.

      • Username - The username attribute. Must be written inside parentheses.

      • Machine Prefix - The prefix of a machine name attribute. It is a sequence of characters, which precedes the machine name value.

      • Machine - The machine name attribute. Must be written inside parentheses.

      • Address Prefix - The prefix of an address attribute. It is a sequence of characters, which precedes the address value.

      • Address - The address attribute. Must be written inside parentheses.

      • Domain Prefix - The prefix of a domain name attribute. It is a sequence of characters, which precedes the domain name value.

      • Domain - The domain name attribute. Must be written inside parentheses.

      • Is Domain Mandatory - Select this option to discard messages without the domain attribute.

      • Test Message - Enter a test syslog message and click the ? icon to confirm that your parser works correctly.

      Important - Enter only the value of the attribute inside parentheses.

    5. Click OK.

    Syslog parser uses regular expressions with ECMAScript syntax.

    To get an attribute, syslog parser uses this regular expression:

    /<Message Subject>.*<Attribute Prefix><Attribute>[\\n|<Delimiter>].*$/.

    Any unnecessary attributes should be empty. You must use at least one of these pairs:

    • Address and Username

    • Address and Machine

    Example syslog message:

    LOCAL7.INFO: May 30 2017 11:15:45: %ASA-6-113004: AAA user accounting Successful : server = 192.168.1.1 : user = johndoe\n

    The Syslog Parser for this message can look like this:

    • Message subject: (AAA user accounting Successful)

    • Regex: True

    • Event Type: Login

    • Delimiter: \s:

    • Username Prefix: user\s=

    • Username: \s(\w+)

    • Address Prefix: server\s=

    • Address: \s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

  2. Add a Syslog Server as an Identity Source.

    1. Open the Identity Collector application.

    2. From the left navigation toolbar, click Identity Sources.

    3. From the top toolbar, click New Source > Syslog.

    4. Enter the Syslog Server information.

      • Syslog Server Name - Enter the Syslog Server name to show in the Identity Collector.

      • Optional: Enter your comment.

      • IP Address - Enter the IPv4 address of the Syslog Server.

      • Port - Enter the applicable port on the Syslog Server.

      • Site - Enter the Site name of the Syslog Server.

      • Parser - Select a current Syslog parser, or create a new one.

  3. In the Identity Collector, add a new Query Pool, or edit a current Query Pool.

    See Identity Collector - Query Pools.

  4. In the Identity Collector, add a new Filter for the login events, or edit a current Filter.

    See Identity Collector - Filters for Login Events.

  5. Connect the Identity Collector to the Check Point Identity ServerClosed Check Point Security Gateway with enabled Identity Awareness Software Blade. (Identity Awareness Gateway).

    See Identity Collector - Connecting to an Identity Awareness Gateway.

Note - If you imported a previously exported configuration, the Identity Collector's GUI may not show the Syslog Parsers immediately. In this case, close and reopen the Identity Collector.