topic Re: Setting up syslog forwarding from Panorama to Microsoft Cloud app security in Panorama Discussions

Setting up syslog forwarding from Panorama to Microsoft Cloud app security

paul.gerloff — Wed, 30 May 2018 13:18:03 GMT

Wondering if anybody has gotten the syslog forwarding working from panorama traffic logs to Microsofts Cloud App security.

Have followed every guide I can find and I have logs passing to the MS log collector, however the syslog connection drops regularly, and despite getting some traffic showing in Cloud Discovery on the CAS dashboard it's approx.2% of total network traffic. Not from any specific system or source just a random .2%.

I feel like it's the formatting of the logs being sent or the handeling on the collector but the vendors just blame each other so it's hard to nail down.

anyone with experience getting the two to play nice would be appreciated!

Re: Setting up syslog forwarding from Panorama to Microsoft Cloud app security

w116tjb — Fri, 10 Sep 2021 18:24:53 GMT

Did you ever get this figured out?

Re: Setting up syslog forwarding from Panorama to Microsoft Cloud app security

tbarnhart — Fri, 05 Nov 2021 16:25:24 GMT

We're on v.9.1.8 for Panorama.

I've configured both ways in the MCAS Log collector settings - "PA Series Firewall" & "PA Series Firewall LEEF".

We've built the MCAS Log Collector based on the Ubuntu/Docker.

The Palos are successfully sending to the MCAS-LogCollector server.
The MCAS-LogCollector is successfully sending "message" files upto MCAS, but it's not successfully parsing the file.

See the sample logs that M$ provides with each of these - that I've attached here.
These don't match our formats.

Looks like we'll need to build a Custom Format on the Palo side???

https://docs.microsoft.com/en-us/cloud-app-security/custom-log-parser

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring.html

https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/configure-palo-alto-panorama-for-cloud-app-discovery/m-p/1816949

Re: Setting up syslog forwarding from Panorama to Microsoft Cloud app security

benlewis — Wed, 23 Mar 2022 00:55:04 GMT

I'm going through this now and having trouble with the MCAS/MDCA Log Collector Container parsing the logs forwarded from Panorama 9.1 as it won't send to cloud.

I'm working with Microsoft Support however they haven't been able offer any assistance apart from pointing out Panorama is sending it's hostname in Syslog which isn't supported in the 'PA Series Firewall' Data Source format. Unfortunately disabling this setting isn't an option as it's used for an existing SIEM integration.

The 'PA Series Firewall LEEF' Data Source format sample does show the Syslog sender hostname so i've changed to LEEF however still not working.

I'll update if I get resolution on this.

Re: Setting up syslog forwarding from Panorama to Microsoft Cloud app security

rlewandowski — Wed, 07 Sep 2022 17:40:48 GMT

Was anyone ever able to figure this out? I'm fighting with the same issue. Thanks!

Re: Setting up syslog forwarding from Panorama to Microsoft Cloud app security

Farakh_Numan — Fri, 04 Nov 2022 13:56:33 GMT

Try to use TLS or TCP as receiver type.