https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48119#M35386 <HTML><HEAD></HEAD><BODY><P>Hello kadak!</P><P></P><P>Thank you for the answer. I was think about send email. Really I'll do this. But, it's not the perfect way, because I'll wanted make a dashboard. With the dashboard I'll can monitoring in real time.</P><P></P><P>Best Regards!</P><P>Lucas P</P></BODY></HTML> Thu, 19 Dec 2013 12:22:21 GMT lucaspassos 2013-12-19T12:22:21Z https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48117#M35384 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P></P><P>I have a syslog that I make some monitoring dashboards and the customer want one view about all botnets in my network.</P><P>I had configured Palo Alto to send the logs to syslog. But I can't found the log about botnet. </P><P>Somewhere know how can I do this? What log that we can see the infections?</P><P></P><P>Thanks for the help!!</P><P></P><P>Best Regards</P><P>Lucas Passos</P></BODY></HTML> Tue, 17 Dec 2013 18:58:43 GMT https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48117#M35384 lucaspassos 2013-12-17T18:58:43Z https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48118#M35385 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #333333;">Hello Lucas,</SPAN></P><P></P><P><SPAN style="text-indent: 0px; text-align: left; color: #333333; font-size: 13px; font-style: normal; font-family: arial,helvetica,sans-serif; font-weight: normal;">Botnet Reporting is a threat prevention feature. The PAN collates information from traffic, threat, URL logs to identify botnet-infected hosts. The report generated each day consists a list of infected hosts, description(why we believe the host is infected) and a Confidence level. You can configure the parameters in addition to the query indicating what traffic you'd like to see the botnet report on. <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">There are no Botnet logs, just predefined Botnet reports that run daily.</SPAN></SPAN></P><P><SPAN style="text-indent: 0px; text-align: left; color: #3b3b3b; font-style: normal; font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-weight: normal;"><BR /></SPAN></P><P><SPAN style="text-indent: 0px; text-align: left; color: #3b3b3b; font-style: normal; font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-weight: normal;">However, you can configure botnet reports to be emailed out on daily basis according to your email server profile.</SPAN></P><P><SPAN style="text-indent: 0px; text-align: left; color: #3b3b3b; font-style: normal; font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-weight: normal;">Under Monitor &gt; Botnet &gt; Report setting<BR /></SPAN></P><P><SPAN style="text-indent: 0px; text-align: left; color: #3b3b3b; font-style: normal; font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-weight: normal;"><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/10371_pastedImage_5.png" style="max-width: 1200px; max-height: 900px;" /></SPAN></P><P><SPAN style="text-indent: 0px; text-align: left; color: #333333; font-size: 13px; font-style: normal; font-family: arial,helvetica,sans-serif; font-weight: normal;"><BR /></SPAN></P><P><SPAN style="text-indent: 0px; text-align: left; color: #333333; font-size: 13px; font-style: normal; font-family: arial,helvetica,sans-serif; font-weight: normal;"><BR /></SPAN></P><P>You can then create report group to include that botnet report</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/10372_pastedImage_6.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>You can then create an email scheduler with email server profile to include that report group</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/10374_pastedImage_8.png" style="max-width: 1200px; max-height: 900px;" /></P><P><IMG alt="" class="jiveImage" height="247" src="https://live.paloaltonetworks.com/legacyfs/online/10373_pastedImage_7.png" style="width: 648.898px; height: 247px;" width="649" /></P><P></P><P><SPAN>The above process who trigger an email&nbsp; (botnet report attached to it ) everyday to </SPAN><A class="jive-link-email-small" href="mailto:jdoe@xy.com">jdoe@xy.com</A></P><P></P><P>Since there is nothing called botnet log, we cannot forward it to any external server.&nbsp; On another note, you can indeed forward your threat logs to external entities by following the document:<A href="https://live.paloaltonetworks.com/docs/DOC-3837">How to Forward Threat Logs to Syslog Server</A></P><P></P><P>Hope thats helps!</P><P></P><P></P><P></P><P></P><P>Regards,</P><P>Kunal Adak</P></BODY></HTML> Wed, 18 Dec 2013 17:41:12 GMT https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48118#M35385 kadak 2013-12-18T17:41:12Z https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48119#M35386 <HTML><HEAD></HEAD><BODY><P>Hello kadak!</P><P></P><P>Thank you for the answer. I was think about send email. Really I'll do this. But, it's not the perfect way, because I'll wanted make a dashboard. With the dashboard I'll can monitoring in real time.</P><P></P><P>Best Regards!</P><P>Lucas P</P></BODY></HTML> Thu, 19 Dec 2013 12:22:21 GMT https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48119#M35386 lucaspassos 2013-12-19T12:22:21Z https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48120#M35387 <HTML><HEAD></HEAD><BODY><P>Have you considered the API on your PA?</P><P></P><P>Since the botnet report is a predefined report, you can pull it using the API with a URL like this:</P><P></P><P><A href="https://PAFIREWALL/api/?type=report&amp;reporttype=predefined&amp;reportname=botnet" title="https://PAFIREWALL/api/?type=report&amp;reporttype=predefined&amp;reportname=botnet">https://PA_FIREWALL_IP/api/?type=report&amp;reporttype=predefined&amp;reportname=botnet</A></P><P></P><P>With that in play, all you have to do is have something pull that URL (need to add the API auth string to the request first) and change out the IP address with that of each of your firewall modules.&nbsp; As long as the server (QRadar) for example, is configured to read the XML responses, you can read and act as needed on the report results.</P><P></P><P>You can pull the CSV's straight out as well - but that takes two requests - one to generate the report and the other to fetch the result.</P><P></P><P>Cheers.</P></BODY></HTML> Mon, 23 Feb 2015 21:34:30 GMT https://live.paloaltonetworks.com/t5/general-topics/botnet-syslog/m-p/48120#M35387 JohnSilvia 2015-02-23T21:34:30Z