https://live.paloaltonetworks.com/t5/general-topics/how-to-get-send-dns-logs-to-on-prem-siem-dns-proxy-dns-security/m-p/533040#M109836 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/126496">@jgardner150</a>,</P> <P>You can setup log forwarding from CDL and setup filtering if required so that it isn't sending&nbsp;<EM>all&nbsp;</EM>logs unless you need it.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server#id186BM029099</A></P> Thu, 02 Mar 2023 22:13:03 GMT BPry 2023-03-02T22:13:03Z https://live.paloaltonetworks.com/t5/general-topics/how-to-get-send-dns-logs-to-on-prem-siem-dns-proxy-dns-security/m-p/532961#M109822 <P class="_1qeIAgB0cPwnLhDF9XSiJM">Hello Community!</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">Wondering if anyone has this scenario / has experience with retrieving DNS security logs...</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM"><STRONG class="_12FoOEddL7j_RgMQN0SNeU">Remote Site Firewall setup:</STRONG></P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">- DNS Proxy Enabled (Rules direct internal domains to internal DNS servers across SDWAN, all other DNS request go out local internet to<SPAN>&nbsp;</SPAN><A class="_3t5uN8xUmg0TOwRCOGQEcU" href="https://8.8.8.8/" target="_blank" rel="noopener nofollow ugc">8.8.8.8</A>)</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">-Firewalls have DNS Security Subscription</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM"><STRONG class="_12FoOEddL7j_RgMQN0SNeU">Problem:</STRONG><SPAN>&nbsp;</SPAN>We previously used internal DNS servers for all traffic<SPAN>&nbsp;</SPAN><EM class="_7s4syPYtk5hfUIjySXcRE">(due to backhauling internet to the datacenters)</EM><SPAN>&nbsp;</SPAN>and forwarded all DNS server logs to our on-prem SIEM. Now with DNS Proxy + External DNS servers we no longer get the detailed DNS logs we used to.</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM"><STRONG class="_12FoOEddL7j_RgMQN0SNeU">Partial Solution:</STRONG><SPAN>&nbsp;</SPAN>We have <LI-PRODUCT title="DNS Security" id="DNS_Security"></LI-PRODUCT>&nbsp;subscriptions on these remote firewalls, it seems that this logs all DNS queries in Palo's cloud, and I can see them in Autofocus... However, we are stumped on how to get these logs made available to pull down / be sent to our on-prem SIEM so we can use the data for event correlation amongst many other log sources</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">I have been working with our account team to find a solution, but I wanted to float it out here in case anyone has found a solution or has alternate suggestions.</P> Thu, 02 Mar 2023 14:54:27 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-get-send-dns-logs-to-on-prem-siem-dns-proxy-dns-security/m-p/532961#M109822 jgardner150 2023-03-02T14:54:27Z https://live.paloaltonetworks.com/t5/general-topics/how-to-get-send-dns-logs-to-on-prem-siem-dns-proxy-dns-security/m-p/533040#M109836 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/126496">@jgardner150</a>,</P> <P>You can setup log forwarding from CDL and setup filtering if required so that it isn't sending&nbsp;<EM>all&nbsp;</EM>logs unless you need it.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server#id186BM029099</A></P> Thu, 02 Mar 2023 22:13:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-get-send-dns-logs-to-on-prem-siem-dns-proxy-dns-security/m-p/533040#M109836 BPry 2023-03-02T22:13:03Z https://live.paloaltonetworks.com/t5/general-topics/how-to-get-send-dns-logs-to-on-prem-siem-dns-proxy-dns-security/m-p/533091#M109839 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;Thanks for the info.</P> <P>I did a little research and see they added DNS Security logs as source for CDL about a year back:&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-release-notes/cortex-data-lake/new-features" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-release-notes/cortex-data-lake/new-features</A>&nbsp;.</P> <P>&nbsp;</P> <P>I'm guessing I'll need to buy a little bit of storage <EM>(I currently don't use CDL)</EM> to be able to use this option for forwarding the logs I'm looking for. Not ideal, but at least it sounds like it might get the job done.&nbsp;</P> Fri, 03 Mar 2023 02:46:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-get-send-dns-logs-to-on-prem-siem-dns-proxy-dns-security/m-p/533091#M109839 jgardner150 2023-03-03T02:46:37Z