topic Re: Sending traffic logs with Syslogs (UDP) from PA-440 -> Collector Server in Azure -> LimaCharlie organization not working in Next-Generation Firewall Discussions

Sending traffic logs with Syslogs (UDP) from PA-440 -> Collector Server in Azure -> LimaCharlie organization not working

SoloSigma — Wed, 17 Jan 2024 19:13:34 GMT

I am trying to send Syslog from my PA-440 to a LimaCharlie organization.

This is the setup

PA-400 --Syslog--> Virtual Machine in Azure running Ubuntu with LimaCharlie Adapter --HTTPS--> LimaCharlie.io

This is what I have done in the PA-440

1. Objects -> Log Forwarding and

Add

a profile

I named the profile "LFP-Logs to LimaCharlie".

2. Policies

-> Security

Actions -> Log Forwarding: LFP-Logs to LimaCharlie

This is what I have done in Azure

I created a VM with latest Ubuntu Server.
I opened port 514 UDP.

Next I installed LimaCharlie Adapter on it which is working fine:

I tried to send a syslog message to it which came through to the LimaCharlie organization, meaning that the collector server can receive syslog:

logger -p 0 -n 1.2.3.4 "This is only test message ----- remote"

Screenshot from LimaCharlie.io:

Now I am a bit lost.. What should I try next in order to make sure that logs are sent from the Palo Alto firewall to my collector server in Azure?

jpomachagua — Thu, 18 Jan 2024 21:25:14 GMT

I will verify the following:

Check the traffic logs on the Monitor tab to see if any traffic is being denied.
If no traffic logs are found, check the session browser logs (clear the session if needed).

Regards

SoloSigma — Tue, 23 Jan 2024 09:08:48 GMT

I have checked the traffic logs and all has Action=allow.

Traffic log page 1Traffic log page 2

jpomachagua — Tue, 23 Jan 2024 16:59:01 GMT

Can you verify if there is a NAT source IP address for the packets? Also, can you display the columns for bytes sent and bytes received?

Regards