To This:<\/p>\n
This works from 8.0.0 and up.<\/p>\n My setup:<\/p>\n All serviceroutes setup to use Ethernet1\/2, 192.168.18.1 (since I don\u2019t use the dedicated managementport. User Identification ACL has to be enabled for the Zone you want to monitor:<\/p>\n <\/p>\n <\/p>\n Step 1:<\/p>\n Under Device, Server Profiles, and Syslog. Create a syslog profile that forward logs UDP port 514 to your own devices interface ip.<\/p>\n Step 2: Then, go to Logsettings And create a new Log Setting-System, add (eventid eq lease-start) in filter, and the syslogprofile you created in step 1.<\/p>\n Step 3:<\/p>\n Create a syslogfilter. Go to User Identification, Usermapping, then Palo Alto Networks User-ID Agent Setup, then Syslogfilter, ADD, name it something like PA-DHCP, use Regex Identifiser,<\/p>\n Event Regex: DHCP\\ lease\\ started<\/p>\n Username Regex: hostname ([a-zA-Z0-9\\_\\[\\]\\-]+)<\/p>\n Address Regex: ip ([A-F0-9a-f:.]+)<\/p>\n <\/p>\n Step 4:<\/p>\n Under User Identification, and new Server Monitoring (User Identification Monitored Server), Enabled, Type Syslog Sender, and ip of sender (in my case 192.168.18.1, because of service routes), Connection Type: UDP , and the Syslog Filter you created in step 3<\/p>\n Step 5:<\/p>\n Allow the Interface to be used as User ID syslog listener-UDP. Go to Network, then Network Profiles, and Interface Mgmt. Create a interface Management profile, and allow User-ID Syslog Listener-UDP.<\/p>\n Attach this profile to the interface (in my case the Ethernet1\/2 \u00a0192.168.18.1)<\/p>\n![\"\"](\"http:\/\/wp.12p.no\/wp-content\/uploads\/2017\/05\/tothis.png\")
<\/a><\/p>\nEthernet1\/1 -> x.x.x.x\u00a0\u00a0\u00a0 Untrust<\/em>\n\nEthernet1\/2 -> 192.168.18.1 INSIDE (DHCP Server)<\/em>\n\nEthernet1\/3 -> 10.198.100.1 Guest (DHCP Server)<\/em><\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n