topic Re: VM series log not detected in Azure Sentinel in General Topics

VM series log not detected in Azure Sentinel

nurulams0 — Thu, 10 Feb 2022 14:26:04 GMT

Here’s the problem statement:

1] If Syslog UDP 514 is configured in PAN FW on-prem and vm-series, There were missing logs in AZ Sentinel, Incomplete logs is experienced and there were packets fragmentation.

2] MS Sentinel support recommended to changed syslog transport UDP to TCP 514.

3] If Syslog TCP 514 is configured in PAN FW, On-prem able to send syslog in Azure Sentinel and confirmed from Azure sentinel Azure side.

However all VM-series logs were not detected in Azure Sentinel, although FW is sending syslog traffic.

Re: VM series log not detected in Azure Sentinel

aleksandar.astardzhiev — Wed, 16 Feb 2022 08:04:30 GMT

Hi @nurulams0 ,

From my knowledge you cannot ship syslogs directly to Azure Sentinel (LogAnalytics), you need to have "Microsoft Monitoring Agent" running on a Linux server. What this agent is actually doing is

- it running syslog server that will receive logs from Palo FWs

- it will do some parsing and ship the logs over HTTPS to Azure LogAnalytics Workspace

It is importent to note that Azure requires logs to use CEF format in order to properly parse the logs. By default PAN FWs are not using CEF, but allows you to define custom format, so you need to manually define formatting for each log type - https://docs.paloaltonetworks.com/resources/cef.html

- Are you using same server running MS Monitoring Agent (OMS) for both on-prem and VM firewalls?

- Have you made any changes to OMS agent syslog settings to listend on different port and protocols?

- Are you able to confirm that logs are received by the server running OMS agent? I usually prefer to run tcpdump so I can see with my own eys that packets from firewall are indeed ariving.

- If they are not ariving to the syslog server, have you checked if there is no firewall in the path? Note that Palo Alto App-ID for syslog is defining different default port for syslog over TCP, so if traffic is passing over PAN FW, which is allowing syslog app on default port it is probably blocking it

Re: VM series log not detected in Azure Sentinel

MAerre — Wed, 11 Dec 2024 16:34:06 GMT

Hello @aleksandar.astardzhiev ,

i'm facing the same issue, i've 2 palo alto vm sending logs to a linux server that then forwards them to azure sentinel, from sentinel side they're receiving no logs for 2 months (they told me that before it was working and nobody changed anything).

i'm sending only the configuration, user-id and global protect logs, following the syslog configuration:

i noticed i'm using BSD format instead of CED as you stated.

i've double checked the linux server (which i'm able to ping) config and service but seem running, do you with could be useful to change to CEF format on palo alto side?

is there a way to understand if the fw is sending the logs?

thank you

regards