topic Syslog forwarding to Microsoft Sentinel in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/syslog-forwarding-to-microsoft-sentinel/m-p/597340#M3716 <P>hello everyone.</P> <P>seems we got a weird one here.</P> <P>So we took the CEF format that the pdf guide says</P> <P><A href="https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf" target="_blank">https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf</A></P> <P>&nbsp;</P> <P>heres the weird thing.</P> <P>we truncated it to be under 2048 and the push was completed across the fleet</P> <P>now the weird part</P> <P>&nbsp;</P> <P>the sentinnel collector reports nothing from the physical hardware applicances</P> <P>but does get everything from the VM's in azure.</P> <P>The physical applicances using the same share profile/syslog groups ONLY the system logs are being "seen" in the tcp.</P> <P>&nbsp;</P> <P>IF we take OUT the custom formating.</P> <P>the sentinnel collector sees the traffic but of course in an unrecognized format.</P> <P>&nbsp;</P> <P>Thoughts?</P> <P>&nbsp;</P> <P>we running on 10.2.7-h3</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 09 Sep 2024 19:57:41 GMT miguelMA 2024-09-09T19:57:41Z Syslog forwarding to Microsoft Sentinel https://live.paloaltonetworks.com/t5/next-generation-firewall/syslog-forwarding-to-microsoft-sentinel/m-p/597340#M3716 <P>hello everyone.</P> <P>seems we got a weird one here.</P> <P>So we took the CEF format that the pdf guide says</P> <P><A href="https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf" target="_blank">https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf</A></P> <P>&nbsp;</P> <P>heres the weird thing.</P> <P>we truncated it to be under 2048 and the push was completed across the fleet</P> <P>now the weird part</P> <P>&nbsp;</P> <P>the sentinnel collector reports nothing from the physical hardware applicances</P> <P>but does get everything from the VM's in azure.</P> <P>The physical applicances using the same share profile/syslog groups ONLY the system logs are being "seen" in the tcp.</P> <P>&nbsp;</P> <P>IF we take OUT the custom formating.</P> <P>the sentinnel collector sees the traffic but of course in an unrecognized format.</P> <P>&nbsp;</P> <P>Thoughts?</P> <P>&nbsp;</P> <P>we running on 10.2.7-h3</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 09 Sep 2024 19:57:41 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/syslog-forwarding-to-microsoft-sentinel/m-p/597340#M3716 miguelMA 2024-09-09T19:57:41Z