article PAN-OS 8.0 HTTP Log Integration with Slack in Log Forwarding Articles

PAN-OS 8.0 HTTP Log Integration with Slack

rkemburu — Wed, 23 Oct 2019 16:19:23 GMT

PAN-OS 8.0 HTTP Log Integration with Slack

This document assumes that you have already created a Slack team. This sample integration was done with a free Slack account.

Once you have created your Slack team, login to your slack account and add an “Incoming Webhooks” custom integration on the slack website. During that configuration, you will select the channel where the message will be broadcast (#general in this example). You will also receive a Webhook URL, and an opportunity to customize the Name and Icon for the source of the message.

Here’s a screenshot of the Incoming Webhooks configuration on the slack website:

Next, configure an HTTP Server Profile in PAN-OS 8.0. Use the first part of the Webhooks URL in the “Address” field. In this example, it is “hooks.slack.com” using HTTPS on 443 with the POST HTTP method. Username/Password are not required for this particular integration.

Personally, I was interested in specific “system” events, so this document focuses on the system-level logs. Similar integrations could easily be done with traffic, threat, and/or URL logs.

This is what the System format looks like:

In the URI Format box, provide the URI portion of the Slack-provided Incoming Webhooks URL, beginning with /service

The content-type must be application/json

Leave the Parameters field blank.

The Payload input box accepts the default Slack-preferred JSON format as documented here: https://api.slack.com/incoming-webhooks

No additional escaping is required to add the PAN-OS provided variables to the payload. In this example, I’m using a rich-formatted “attachments” message from Slack, although the basic format works perfectly as well.

Here are two samples that you should be able to cut and paste:

Rich Format Message:

{

"attachments": [

{

"fallback": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------",

"text": "$time_generated: <https://pa0.example.com|pa0> reports $severity $subtype event:\n$opaque",

"color": "danger"

}

]

}

Simple Format Message:

{

"text": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------"

}

Since I was mainly interested in system-level events, I tied it all together in the Device / Log Settings tab. I haven’t narrowed-down exactly what I want to see in the slack channel, but for the purposes of this test, I wanted to see non-informational ha or crypto events, so used the following system log filter:

(( subtype eq ha ) or (subtype eq crypto)) and ( severity neq informational )

I matched that with the “Slack System Event 1” created earlier. The configuration looks like this:

Here’s what I see on my desktop in the Slack app when I initiate a manual HA state change via the PAN-OS GUI:

Looks good on the phone too:Created by Jared Valentine - Systems Engineer

Re: Slack

whofstetter — Fri, 29 Dec 2017 14:49:27 GMT

Nice articel! I just tried to follow theser steps, unfortunately my PA-200 say:

Failed to send HTTP request: hooks.slack.com: Peer certificate cannot be authenticated with given CA certificates

Not sure what's the rootcause, I used that slack account with NTOP before and just verified with curl from a Linux machine that the webhook does work.

I'll keep trying 🙂

Re: Slack

Sath — Thu, 26 Apr 2018 08:07:49 GMT

what PAN OS version you are using?

Re: Slack

whofstetter — Thu, 26 Apr 2018 08:22:01 GMT

Sorry, didn't repor

@rkemburu wrote:
PAN-OS 8.0 HTTP Log Integration with Slack

This document assumes that you have already created a Slack team. This sample integration was done with a free Slack account.

Once you have created your Slack team, login to your slack account and add an “Incoming Webhooks” custom integration on the slack website. During that configuration, you will select the channel where the message will be broadcast (#general in this example). You will also receive a Webhook URL, and an opportunity to customize the Name and Icon for the source of the message.

Here’s a screenshot of the Incoming Webhooks configuration on the slack website:


Next, configure an HTTP Server Profile in PAN-OS 8.0. Use the first part of the Webhooks URL in the “Address” field. In this example, it is “hooks.slack.com” using HTTPS on 443 with the POST HTTP method. Username/Password are not required for this particular integration.

Personally, I was interested in specific “system” events, so this document focuses on the system-level logs. Similar integrations could easily be done with traffic, threat, and/or URL logs.

This is what the System format looks like:

In the URI Format box, provide the URI portion of the Slack-provided Incoming Webhooks URL, beginning with /service

The content-type must be application/json

Leave the Parameters field blank.

The Payload input box accepts the default Slack-preferred JSON format as documented here: https://api.slack.com/incoming-webhooks

No additional escaping is required to add the PAN-OS provided variables to the payload. In this example, I’m using a rich-formatted “attachments” message from Slack, although the basic format works perfectly as well.

Here are two samples that you should be able to cut&paste:

Rich Format Message:

{
    "attachments": [
        {
            "fallback": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------",
            "text": "$time_generated: <https://pa0.example.com|pa0> reports $severity $subtype event:\n$opaque",
            "color": "danger"
        }
    ]
}

Simple Format Message:

{
    "text": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------"
}

Since I was mainly interested in system-level events, I tied it all together in the Device / Log Settings tab. I haven’t narrowed-down exactly what I want to see in the slack channel, but for the purposes of this test, I wanted to see non-informational ha or crypto events, so used the following system log filter:

(( subtype eq ha ) or (subtype eq crypto)) and ( severity neq informational )

I matched that with the “Slack System Event 1” created earlier. The configuration looks like this:
Here’s what I see on my desktop in the Slack app when I initiate a manual HA state change via the PAN-OS GUI:

Looks good on the phone too:Created by Jared Valentine - Systems Engineer

t back - It does work just fine. As far as I remember I suffered from a cert issue. Regards, Walter

Re: Slack

Sath — Thu, 26 Apr 2018 08:26:19 GMT

ya that was bug earlier, instead of using default trust certificates, it used device certificates to connect to hooks.slack.com.
now that is fixed.

Re: Slack

ArienSeghetti — Sun, 29 Apr 2018 16:43:45 GMT

What kind of certs do you need on the Firewall in order to do this slack integration?

Re: Slack

Alex_Gomez — Sat, 19 May 2018 10:14:38 GMT

For some reason i am confiruing everything correctly but it does not like using this

$opaque\n if i remove it and test test by sending log to slack it works any ideas?

Re: Slack

JimmyHolland — Thu, 14 Jun 2018 10:47:31 GMT

@Alex_Gomez This is fixed in PAN-OS 8.1.2

Re: Slack

EddieBrown — Thu, 13 Jun 2019 17:54:57 GMT

I have successfully deployed this awesome feature into my 70 firewalls using Panorama.

The alerts are flowing into my designated slack channel, however, I am not getting very intuitive information from some devices.

For example when an alert flows to my channel the notification Windows gives me show the entirety of the Palo Alto firewall name. When I look at the actual data within the channel I am not seeing the same data present on certain devcies.

Compared to:

Any help is appreciated.

Re: Slack

Evgenij — Wed, 11 Sep 2019 09:07:42 GMT

Hi @EddieBrown ,
i came across the same issue. Some information are missing on slack...
Did you manage to find the problem?

Re: Slack

EddieBrown — Tue, 22 Oct 2019 13:36:51 GMT

Hey @Evgenij,

Unfortunately not, I thought maybe it had to do with the revision of code I was running as I had a few non 8.1 .x firewalls deployed. All my firewalls are on either 8.1.6 or 8.1.8 and I am still seeing the same results.

Maybe @rkemburu Can shed some of their infinite wisdom with us.

Re: Slack

Jamiefitzgerald — Tue, 22 Oct 2019 17:15:00 GMT

I am forwarding this to the features owners to take a look.

Glad you like the feature.

Do you use any other integrations as well? How did you hear about the feature?

Re: Slack

EddieBrown — Tue, 22 Oct 2019 17:52:23 GMT

@Jamiefitzgerald That is a lot of questions. I would like the feature more if it worked as advertised.

I use a few other integrations: PingID, MineMeld. I heard about this feature via a Slack/Palo Alto google search.

Re: PAN-OS 8.0 HTTP Log Integration with Slack

niuk — Wed, 11 Dec 2019 16:07:08 GMT

I did the same with MS Teams, see here

😉

Re: PAN-OS 8.0 HTTP Log Integration with Slack

EddieBrown — Wed, 11 Dec 2019 16:29:46 GMT

@Jamiefitzgerald Any update on why we are only seeing half the information in Slack?

Re: PAN-OS 8.0 HTTP Log Integration with Slack

Valentino — Tue, 01 Feb 2022 08:43:43 GMT

Hello,

Nice solution and thank you very much for taking the time to think about this solution.
Unfortunately, the firewalls are in a secure environment and do not have access to the Internet

Logs are sent to Splunk and Tufin servers which are on the same secure environment.

however, if it were necessary to create a server in this secure environment which allows to recover this type of alerts, it would be possible.

Thanks to all of you in advance

Valentino