Skip to main content

35 Messages

 • 

608 Points

Mon, Apr 1, 2019 3:00 PM

Answered

vSZ syslogs missing client IP address

We are running into an issue on our vSZ (v5.1.0.0.496) with the clientAuthorization and clientJoin syslogs. Neither of these syslogs contain the clientIP field, which is a problem for customers with security appliances that depend on these syslogs to tie usernames to wireless clients. Strangely, the clientDisconnect syslog does include the clientIP field. 

Is there a way to enable this feature? ZoneDirector syslogs include a field for "sta_ip", which is what we've been using in the past (see THIS thread for context on ZD syslogs in this scenario). The vSZ syslogs are in a completely different format, which is fine, but they are missing this critical information. Here is my vSZ configuration for reference:


Responses

36 Messages

 • 

868 Points

2 years ago

Hi Nick,

The alarms and events guide posted on the support site for SmartZone mentions the following for ClientAuth and ClientJoin -> "clientIP" .So it should be there. 

Severity must be informational but I believer yours is set to emergency. 

35 Messages

 • 

608 Points

We are receiving the clientJoin syslogs with the current configuration, aren't those sent as part of the "Event Facility" and "Event Filter" settings? I intentionally set the "Application", "Administrator", and "Other" settings to the highest level in order to avoid overrunning our syslog server. Does one of these need to be set to Info in order for the clientIP field to appear? 

35 Messages

 • 

608 Points

2 years ago

Word of warning to anyone else who is looking for this feature: It is not supported in SmartZone (as of v5.1.0) if you are using 802.1x authentication. Client IP addresses are only included in the clientJoin and clientAuthorization syslogs if you use Open or Web Portal authentication. If you are currently relying on these logs from your ZoneDirector to be exported to your Palo/Meraki/etc. appliances, you will be disappointed if you move to SmartZone. There is an open feature request for this issue (FR-3031). This will NEED to be addressed before the ZoneDirector platform is retired. 

The underlying problem is that SmartZone sends the clientJoin (after the client is client associated) and clientAuthorized (after the client is authenticated) syslogs, but does not send any syslogs after the client receives an IP address and “officially joins” the controller. Since there is no IP for a client during the association/authorization process, it makes sense that these syslogs are missing that information. The difference with ZoneDirector is that it doesn’t send these detailed syslogs, but instead sends a single “Operational Add” log that summarizes when a client is added to the controller’s client database, which happens after the client obtains an IP. This seems like a large feature gap that needs to be addressed. 

The SmartZone Alarm and Event Reference Guide is misleading at best, since it indicates that the clientIP attribute should be included in the clientJoin and clientAuthorization syslogs (page 225 and 227). It does not specify that this is only achievable using Open/Web Portal authentication.

43 Messages

 • 

684 Points

2 years ago

Thanks for this info nick,  that is good to know/be aware of before hand.  And i agree this is almost a requirement to be added.

I think alot more work needs to be done to vsz syslog data/output - (and standalone syslogs for that matter).  most in the know, use remote syslogs, so the data needs to be detailed and complete (and often can be behind a nat / masq rule, so dont count on src IP IDing the source).  this, and / or ruk needs to allow the customer more syslog options or flexibility.  as an extreme/awesome case, on our axis ip cameras, axis allows advanced customers direct access to the rsyslog.conf file, so the sky is the limit!  They ofcourse dont suggest you edit this, and if you do, they will not support anything related to syslog after edits.  but the option is there.)   
tks

232 Messages

 • 

4K Points

Yeah, but the impact to one camera isn't the same as a controller which may be hosting 10's of thousands of APs. Mess with a single Axis, and you lose perhaps a single camera as Axis give all customers access to nearly all CONF files on the unit.
In our org, we use both Axis cameras (several hundred units) and Ruckus (several thousand units.), and  I've got my issues with Axis. P1428's and their penchant for rebooting constantly, image ghosting looks which give my surveillance videos a somewhat RETRO FUTURE type vibe.  I've got a few Q3708's and Axis has NEVER been able to fix my issue with camera 1 going black and white suddenly.
As for logs, does change the log you need to Debug help? it's helped us.
Sorry for the rant, I'm up late dealing with an AXIS camera issue as we speak!

5 Messages

 • 

164 Points

a year ago

We too need this badly.. Hope Ruckus has an update soon...

35 Messages

 • 

608 Points

This feature is now available as an AP patch, and it should be included in the next major release of SmartZone. You may want to ask support if they can get you the patch, you can reference my case# 00914107. 

5 Messages

 • 

164 Points

Thank you, asking right now. I'll update when I hear back. 

5 Messages

 • 

164 Points

Support confirms this will be addressed in 5.1.2.X. I'll be updating in a month when this is available. Thanks again!

3 Messages

 • 

70 Points

Would you mind sharing your regex expressions? i can't seem to get mine to map correctly.

232 Messages

 • 

4K Points

/[^\d.]60:f8:1d:c2:53:6e/
This is the mac address of my mac book pro. Hope the syntax helps you!

3 Messages

 • 

70 Points

a year ago

Would you mind sharing your regex expressions? i can't seem to get mine to map correctly.

3 Messages

 • 

120 Points

a year ago

I have been in contact with Ruckus who have now fixed the syslog bug so it works correctly!

The Palo Alto regex I am using is the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Syslog Filters
Type: Regex Identifier
Event Regex: (?=.*clientInfoUpdate)(.*"ssid"="YourWirelessSSID")(.*"clientIP"=")
Username Regex: "userName"="([a-zA-Z0-9.\-\_\\]+)
Address Regex: "clientIP"="(\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b)

You can also remove the requirements for a specific SSID you can use the following,
Event Regex: (?=.*clientInfoUpdate)(.*"clientIP"=")

Dont forget to turn on "Allow matching usernames without domains" for the Palo Alto to allow it to digest logins without the domain if you use RADIUS for auth.
on the Palo Alto you turn on the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Cache > Allow matching usernames without domains(tick box)

Server Monitor also needs to be setup,
Add the Device > User Identification > Server Monitor
Type: Syslog Sender
Network Address: IP of the SmartZone controller
Connection: UDP
Add the Ruckus Regex under "Syslog Parse Profile"


The SmartZone Controller has the following settings,
System > General Settings > Syslog
Enable Syslog
Primary Syslog: Palo Alto Management interface IP(the default for user auth)
Port: 514
Protocol: UDP

Event Filter: All Events above a severity
Event Filter Severity: Informational