Displaying authenticated username in GMS reports

Description

Displaying authenticated username in GMS reports

Resolution

By default, GMS reports such as Data Usage > Initiators will display the computer’s IP address without a user:

 

Image

 

 

If some form of authentication is used for Internet access, the syslog messages will contain the authenticated username in the “usr= “ field of the syslog:

 

Syslog Example w/authentication in use:

<134>  id=firewall sn=18C2410D4FB4 time="2025-06-19 11:44:55 UTC" fw=103.19.132.178 pri=6 c=1024 m=537 msg="Connection Closed" app=49177 appName='General HTTPS' sess="Web" n=2263621 usr="test.user@domain.local" src=192.168.1.79:63326:X0 dst=172.16.32.66:443:X2 srcMac=12:56:34:ab:dc:ef dstMac=ab:cd:7e:12:34:65 proto=tcp/https sent=98 rcvd=52 spkt=2 rpkt=1 dpi=1 cdur=2200 rule="Default Access Rule"

 

GMS will take the username from the syslog messages and display it in the report:

 

Image

 

In order for the syslog to contain the username, some form of authentication must be used.  This can be any of the following methods available in the firewall:

 

Single Sign-On (SSO)

User Level Authentication (ULA)

LDAP

Local User Authentication

RADIUS

Related Articles

  • Analytics On-Prem vs NSM Feature Matrix
    Read More
  • Analytics On-Prem End of Life and NSM Transition FAQ
    Read More
  • NSM On-Prem: Backups over SCP to Windows OpenSSH Server
    Read More

Categories

Management and Reporting
GMS
not finding your answers?
Ask the Community