Collect Pulse Secure logs

This document describes how you can collect Pulse Secure logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the PULSE_SECURE_VPN ingestion label.

Configure the Pulse Secure VPN

To configure the Pulse Secure VPN, do one of the following:

• Configure the Pulse Secure VPN version 8.3R3 and earlier
• Configure the Pulse Secure VPN version 8.3R4 and later

Configure the Pulse Secure VPN version 8.3R3 and earlier

1. Sign in to the Pulse Connect Secure console.
2. In the Pulse Connect Secure console, select System > Log/monitoring > Settings. You can select Settings from the Events tab, the User access tab, or the Admin access tab.
3. In the Select events to log section, select all the checkboxes that correspond to events.
4. In the Syslog servers section, do the following:
   1. In the Server name/IP field, specify the Google Security Operations forwarder IP address.
   2. In the Facility list, select LOCAL0. The Facility list provides eight facilities: LOCAL0 through LOCAL7. You can use one of these settings to map facilities on your syslog server.
   3. In the Type list, select UDP or TCP.
5. Click Add.
6. Optional: To add multiple syslog servers for events, admin access, or user access logs repeat steps 2 to 4.
7. Click Save changes.
8. To ensure that the standard log format is set as default, do the following:
   1. Open the Pulse connect secure console.
   2. In the Events tab, the User access tab, and the Admin access tab, set Filters to Standard.
   3. If the standard filter is not defined as the default filter, click Make default.
   4. Click Save.

Configure the Pulse Secure VPN version 8.3R4 and later

1. In the Pulse connect secure console, click the Events tab, the User access tab, or the Admin access tab, and then set Filters to New filter.
2. In the Filter name field, enter a name for the filter.

3. In the Export format section, select Custom and enter the following format in the field:

   [SecureConnect] %date% %time% - %node% - [%sourceip%] %user%(%realm%)[%role%] - %msg%

4. Click Save.

5. Based on your device version to enable syslog configuration, do one of the following:

   • Enable syslog logging on Pulse Secure VPN
   • Enable syslog logging on Ivanti Connect Secure

Enable the syslog logging on Pulse Secure VPN

1. In the Pulse connect secure console, select System > Log/monitoring > Settings. You can select Settings from the Events tab, the User access tab, or the Admin access tab.
2. In the Select events to log section, select all the checkboxes except the HTML5 access, Admission control messages, and Unauthenticated requests checkboxes.
3. In the Syslog server field, enter information about the syslog servers.
4. In the Syslog servers section, do the following:
   1. In the Server name/IP field, enter the server name or Google Security Operations forwarder IP address.
   2. In the Facility list, select LOCAL0.
   3. In the Filter list, select the filter that you created earlier.
5. Click Add.
6. Optional: To add multiple syslog servers for events, administrator access, or user access logs repeat steps 2 to 4.
7. Click Save changes.

Enable the syslog logging on Ivanti Connect Secure

1. In the Pulse connect secure console, click the Events tab, the User access tab, or the Admin access tab, and then select Filters.
2. Click New filter tab.

3. In the Export format section, select Custom and enter the following format in the field:

   [SecureConnect] %date% %time% - %node% - [%sourceip%] %user%(%realm%)[%role%] - %msg%

4. Click Save.

5. Click System > Log/monitoring, and then select the Settings tab.

6. In the Maximum log size field, specify the maximum log size and select the events to be logged.

7. Specify the server configuration as follows:

   1. In the Server name/IP field, specify the fully qualified domain name or Google Security Operations forwarder IP address for the syslog server.

      If you select Transport Layer Security (TLS) from the type list, the server name must match the CN in the subjectDN in the certificate obtained from the server.

   2. In the Facility list, select a syslog server facility level.

   3. In the Type list, select the connection type to the syslog server as UDP, TCP, or TLS. TLS uses cryptographic protocols to provide a secure communication.

      If you select TLS, select the installed client certificate to use to authenticate the syslog server. Client certificates are defined in the Configuration > Certificates > Client auth certificates window. Client certificates must be installed on the device before they can be used. Contact your certificate authority for the certificate.

   4. In the Filter list, select Custom.

8. Click Add.

Configure the Google Security Operations forwarder to ingest Pulse Secure logs

1. Select SIEM Settings > Forwarders.
2. Click Add new forwarder.
3. In the Forwarder name field, enter a unique name for the forwarder.
4. Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
5. In the Collector name field, type a unique name for the collector.
6. Select Pulse Secure as the Log type.
7. Select Syslog as the Collector type.
8. Configure the following mandatory input parameters:
   • Protocol: specify the connection protocol that the collector uses to listen to syslog data.
   • Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
   • Port: specify the target port where the collector resides and listens to syslog data.
9. Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from Pulse Secure VPN logs, handling both Windows Event Logs and syslog formats. It normalizes diverse log structures into a common format, categorizing events like logins, logouts, connections, and policy changes, enriching them with contextual data like user agents, IP addresses, and timestamps.

UDM mapping table

Log Field	UDM Mapping	Logic
action	security_result.action_details	Directly mapped from the action field.
application	principal.application	Directly mapped from the application field.
bytes_read	network.received_bytes	Directly mapped from the bytes_read field and converted to unsigned integer.
bytes_written	network.sent_bytes	Directly mapped from the bytes_written field and converted to unsigned integer.
client_host	principal.hostname, principal.asset.hostname	Directly mapped from the client_host field.
cmd	principal.process.command_line	Directly mapped from the cmd field.
connection_status	security_result.detection_fields.value.string_value	Directly mapped from the connection_status field.
data_time	metadata.event_timestamp.seconds	Parsed from the data_time field using various timestamp formats (MM-dd-yyyy HH:mm:ss Z, RFC 3339, ISO8601, MMM d HH:mm:ss, MMM d HH:mm:ss).
devname	principal.hostname, principal.asset.hostname	Directly mapped from the devname field.
dstip	target.ip, target.asset.ip	Directly mapped from the dstip field.
dstport	target.port	Directly mapped from the dstport field and converted to integer.
dstcountry	target.location.country_or_region	Directly mapped from the dstcountry field if it's not "Reserved" or empty.
duration	network.session_duration.seconds	Directly mapped from the duration field and converted to integer.
dvc	intermediary.hostname or intermediary.ip	If the dvc field can be converted to an IP address, it's mapped to intermediary.ip. Otherwise, it's mapped to intermediary.hostname.
dvc_hostname	intermediary.hostname, principal.hostname, principal.asset.hostname or intermediary.ip, principal.ip, principal.asset.ip	If the dvc_hostname field can be converted to an IP address, it's mapped to the respective IP fields. Otherwise, it's mapped to the respective hostname fields.
event_type	metadata.product_event_type	Directly mapped from the event_type field.
failure_reason	security_result.description	Directly mapped from the failure_reason field. If the message contains "because host", the text "host" is prepended to the failure reason.
has_principal	event.idm.read_only_udm.principal (presence)	Set to "true" if any principal fields are populated, "false" otherwise. Derived by parser logic.
has_target	event.idm.read_only_udm.target (presence)	Set to "true" if any target fields are populated, "false" otherwise. Derived by parser logic.
has_target_user	event.idm.read_only_udm.target.user.userid (presence)	Set to "true" if target.user.userid is populated, "false" otherwise. Derived by parser logic.
host_ip	principal.ip, principal.asset.ip	Directly mapped from the host_ip field.
host_mac	principal.mac	Directly mapped from the host_mac field, replacing hyphens with colons.
http_method	network.http.method	Directly mapped from the http_method field.
http_response	network.http.response_code	Directly mapped from the http_response field and converted to integer.
info_desc	about.labels.value	Directly mapped from the info_desc field.
ip_new	target.ip, target.asset.ip	Directly mapped from the ip_new field.
level	security_result.severity, security_result.severity_details	The security_result.severity is derived from the level field ("error"/"warning" -> HIGH, "notice" -> MEDIUM, "information"/"info" -> LOW). The raw value of level is also mapped to security_result.severity_details.
logid	metadata.product_log_id	Directly mapped from the logid field.
locip	principal.ip, principal.asset.ip	Directly mapped from the locip field.
message	metadata.description	Used to extract various fields using grok and kv filters. If the message contains "EventID", it's processed as a Windows event log.
message_info	metadata.description	Directly mapped to metadata.description if not otherwise used in more specific grok patterns.
msg	metadata.product_event_type, metadata.description	If the msg field is present, the product type is extracted and mapped to metadata.product_event_type, and the remaining message is mapped to metadata.description.
msg_hostname	principal.hostname, principal.asset.hostname	Directly mapped from the msg_hostname field.
msg_ip	principal.ip, principal.asset.ip	Directly mapped from the msg_ip field.
msg_user_agent	network.http.user_agent, network.http.parsed_user_agent, metadata.product_version	The user agent string is mapped to network.http.user_agent, the parsed user agent is mapped to network.http.parsed_user_agent, and the product version (if present) is mapped to metadata.product_version.
network_duration	network.session_duration.seconds	Directly mapped from the network_duration field and converted to integer.
policyid	security_result.rule_id	Directly mapped from the policyid field.
policyname	security_result.rule_name	Directly mapped from the policyname field.
policytype	security_result.rule_type	Directly mapped from the policytype field.
priority_code	about.labels.value	Directly mapped from the priority_code field and also used to derive about.labels.value for the "Severity" key (see Logic).
prod_name	metadata.product_name	Directly mapped from the prod_name field.
product_type	metadata.product_event_type	Directly mapped from the product_type field.
product_version	metadata.product_version	Directly mapped from the product_version field.
proto	network.ip_protocol	Mapped to network.ip_protocol after being converted to an IP protocol name using a lookup.
pwd	principal.process.file.full_path	Directly mapped from the pwd field.
realm	principal.group.attribute.labels.value	Directly mapped from the realm field.
rcvdbyte	network.received_bytes	Directly mapped from the rcvdbyte field and converted to unsigned integer.
remip	target.ip	Directly mapped from the remip field.
resource_name	target.resource.name	Directly mapped from the resource_name field after removing leading/trailing whitespace and hyphens.
resource_status	security_result.description	Directly mapped from the resource_status field.
resource_user_group	principal.user.group_identifiers	Directly mapped from the resource_user_group field.
resource_user_name	principal.user.userid	Directly mapped from the resource_user_name field.
roles	principal.user.group_identifiers	Directly mapped from the roles field.
sentbyte	network.sent_bytes	Directly mapped from the sentbyte field and converted to unsigned integer.
session_id	network.session_id	Directly mapped from the session_id field.
sessionid	network.session_id	Directly mapped from the sessionid field.
srcip	principal.ip, principal.asset.ip	Directly mapped from the srcip field.
srcport	principal.port	Directly mapped from the srcport field and converted to integer.
srccountry	principal.location.country_or_region	Directly mapped from the srccountry field if it's not "Reserved" or empty.
subtype	metadata.product_event_type	Used in conjunction with type to form metadata.product_event_type.
target_file	target.file.full_path	Directly mapped from the target_file field.
target_host	target.hostname, target.asset.hostname	Directly mapped from the target_host field.
target_ip	target.ip, target.asset.ip	Directly mapped from the target_ip field.
target_port	target.port	Directly mapped from the target_port field and converted to integer.
target_url	target.url	Directly mapped from the target_url field.
time	metadata.event_timestamp.seconds	Parsed from the time field using the "yyyy-MM-dd HH:mm:ss" format.
type	metadata.product_event_type	Used in conjunction with subtype to form metadata.product_event_type.
u_event_source_ip	principal.ip, principal.asset.ip or target.ip	If target_ip or target_host are present, u_event_source_ip is mapped to principal.ip and principal.asset.ip. Otherwise, if target_ip, target_host, and target_url are all empty, u_event_source_ip is mapped to target.ip.
u_observer_ip	observer.ip	Directly mapped from the u_observer_ip field.
u_prin_ip	principal.ip, principal.asset.ip	Directly mapped from the u_prin_ip field.
user	target.user.userid	Directly mapped from the user field.
user_agent	network.http.user_agent, network.http.parsed_user_agent	The user agent string is mapped to network.http.user_agent, and the parsed user agent is mapped to network.http.parsed_user_agent.
user_group_identifier	target.user.group_identifiers or principal.user.group_identifiers	Mapped to target.user.group_identifiers in most cases. Mapped to principal.user.group_identifiers in the IP change (USER_UNCATEGORIZED) and Realm restrictions events.
user_ip	principal.ip, principal.asset.ip	Directly mapped from the user_ip field. If empty and u_event_source_ip is not empty, it takes the value of u_event_source_ip.
username	principal.user.userid or target.user.userid	Mapped to principal.user.userid in most cases. Mapped to target.user.userid in some specific scenarios (e.g., when detect_user_logout_failed is false and detect_policy_change_failed is false).
username_removed	target.user.userid	Directly mapped from the username_removed field.
vd	principal.administrative_domain	Directly mapped from the vd field.

metadata.vendor_name, metadata.product_name, metadata.event_type, metadata.log_type, network.ip_protocol, security_result.action, security_result.severity, and extensions.auth.type are derived or set by the parser logic based on the conditions described in the Logic column.

Changes

2024-05-27

• Mapped "observer_hostname" to "observer.hostname".
• When "dvc_hostname" is a valid IP address, then mapped it to "principal.ip", else mapped it to "principal.hostname".
• Mapped "priority_code", "Syslog_version", and "info_desc" to "about.labels".
• Mapped "prod_name" to "metadata.product_event_type".

2024-04-16

• Added a new GROK pattern to parse new pattern of SYSLOG logs.
• Mapped "connection_status" to "security_result.detection_fields".

2024-02-26

• Added a "kv" block to parse key-value data.
• Mapped "username" to "target.user.userid".
• Added conditional check for "message_info".
• Mapped "u_prin_ip" to "principal.ip".
• Mapped "u_observer_ip" to "observer.ip".

2023-11-07

• Bug-fix:
• Modified mapping for "observer_host" from "observer.hostname" to "additional.fields".

2023-08-19

• Added a Grok pattern to parse failing logs.

2023-05-26

• Added a Grok pattern to support the new syslog logs.

2023-01-06

• Modified grok to parse "product_type" and mapped to "metadata.product_event_type".

2022-10-25

• Added new grok patterns for "message_info" to extract session_id.
• Mapped "session_id" to "network.session_id".
• Changed target.ip to principal.ip when detect_policy_change_failed is false.
• Changed target.mac to principal.mac when detect_policy_change_failed is false.

2022-10-12

• Enhancement- Added mappings for following fields:
• Extracted the value of IP from "msg" field and mapped it to "principal.ip".
• Extracted the value of hostname from "msg" field and mapped it to "principal.hostname".
• Mapped "user" to "target.user.userid".
• Mapped "realm" to "principal.group.attribute.labels".
• Mapped "roles" to "principal.user.group_identifiers".
• Modified value for "metadata.event_type" from "GENERIC_EVENT" to "USER_UNCATEGORIZED".

2022-10-03

• Enhancement- Parsed the logs containing "sudo" and parsed them.
• Added Support for new Key-Value Pair type log formats.

2022-07-01

• Enhancement- Generated new event for EventID: 4624
• Changed metadata.event_type form "GENERIC_EVENT" to "STATUS_UPDATE" or "NETWORK_CONNECTION" where "principal.ip" or "target.ip" or "principal.hostname" are not null.

2022-04-13

• Enhancement-Added mappings for new fields in GENERIC_EVENT event_type:
• user_ip to event.idm.read_only_udm.principal.ip.
• user_group_identifier to event.idm.read_only_udm.target.user.group_identifiers.
• Modified timestamp in all the event_type to include timezone.
• Modified field user_ip, target_ip for GENERIC and NETWORK_CONNECTION event types.