Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME

Eric.Hernandez — Wed, 12 May 2021 18:50:26 GMT

I am using an HTTP profile to send PANORAMA CRITICAL SYSTEM events to Slack. The integration is working well.

My Panoramas are an A/P HA cluster. The issue that I have is that I'm unable to delineate the device names via the HTTP profile payload (because the HTTP profile payload gets duplicated between both the active and the passive device).

Here's my HTTP profile SYSTEM payload:

{"text": "*Panorama System Log*\n

*Device Name*:$device_name\n

*Receive Time*: $receive_time *Severity:* $severity *Type*: $subtype\n

*Log Message:* $opaque"}

This works well except for the $device_name variable (variable i.e.: system log field). For my Panorama instance, the $device_name returns IP address 1.1.1.1. I would expect it to return the device's hostname.

In reviewing the System log fields documentation, https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields.html#id9502d0c7-67d3-4f74-a0a9-3fdd671afd28

the field "device_name" is described as "the hostname of the firewall on which the session was logged". The key word here is "firewall" as this does not seem to function correctly for Panorama.

In a nutshell, I want to include the Panorama hostname (or Panorama mgmt IP address) within the log(alert) output. That way I know which device in the HA pair is generating the log/alert. For a Panorama A/P HA pair, the HTTP profile payload is duplicated across both devices, and therefore I cannot hard code the device name in the payload, I need to use a variable (i.e.: system log field name). Does anybody know how I can get the Panorama hostname or mgmt IP address to show up in output? How would I build the HTTP Profile SYSTEM payload? Any ideas are appreciated. Thanks!

Re: Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME

jdelio — Fri, 14 May 2021 22:02:48 GMT

I know you say that the Device name does not show up properly, but what about the serial #?

"Serial Number (serial)"

Is it showing up? and is that unique?

Re: Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME

Eric.Hernandez — Mon, 17 May 2021 14:29:23 GMT

Hi @jdelio Thanks for responding.

I tried this during my testing. When I send the serial number ($serial), both the Active and the Passive Panorama return the same 10-digit number. If I search the config for this 10-digit number (show | match <number>) I can't find a record of the number anywhere in the config.

FYI both my Panorama serial numbers are 12-digit numbers.

topic Re: Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME in Panorama Discussions

Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME

Re: Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME

Re: Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME