topic Re: Output detailed HIP logs to syslog in General Topics

Output detailed HIP logs to syslog

tmhorne — Thu, 11 Apr 2019 15:20:33 GMT

Does anybody know how to output the detailed HIP match logs to syslog?

As it stands, we've got to go to Monitor > HIP Match > Magnifying Glass Icon to see them.

We'd like to send this rich data set to Splunk or another tool to write reports against.

Re: Output detailed HIP logs to syslog

Mick_Ball — Thu, 11 Apr 2019 15:49:03 GMT

I use HIP myself and only log to panorama but there is a setting in device\log settings for HIP, have you tried this, it only displays a match and what you called the HIP check so may not be enough information.

Re: Output detailed HIP logs to syslog

tmhorne — Thu, 11 Apr 2019 15:54:41 GMT

I'm already sending Hip Match logs off via syslog, but it is only summary logs. It does not have the rich data that you get when you hit the magnifying glass.

Re: Output detailed HIP logs to syslog

ChrisCapra — Fri, 19 Jun 2020 18:52:29 GMT

I have the same question as starting to implement this.

Is there a back end database or a CLI command that will output the rich info that magnifier glass provides ? I am guessing there is a way to do it since the data is there and available. Creating the HIP Objects and Profiles is good but is just basic info and is mostly on/off for example if a system has antivirus or not, if installed or not, does not give specific info with the version and version number.

Looking on how to pull the rich info that the magnifier glass provides.

Help appreciated.

Re: Output detailed HIP logs to syslog

Mick_Ball — Fri, 19 Jun 2020 19:00:40 GMT

Have a look here...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC

Not had chance myself as the wine doth floweth at a somewhat rapid pace...

a bit of scripting or api call may be required for automation.

Re: Output detailed HIP logs to syslog

BPry — Sat, 20 Jun 2020 03:47:48 GMT

@tmhorne,

As @Mick_Ball's KB article states, this is kept in a local database and isn't really exposed in an easy format to get it exported off of the firewall. The firewall's own API isn't going to be very handy in this type of situation either, given the nature of the command required to access information held in that local database.

I would actually look at pulling in the client's GlobalProtect logs instead of dumping them from the firewall's database. That's easier to maintain and will give you the information in the exact same format if it's desired.