How does the Log Link Feature Work?

Printer Friendly Page

The Log Link feature provides links from log data to external systems (for example, trouble-ticketing, PCAP collections systems, security scanning, and so on). The links show up at the bottom of the log detail page in the log viewer, and they open the constructed URL in a new browser window.

 

Information of the log available for use in constructing the link URL:

  • src - source IP address
  • dst - destination IP address
  • sport - source port
  • dport - destination port
  • proto - protocol
  • recvtime_YYYY - year of receive time
  • recvtime_MM - month of receive time
  • recvtime_DD - day of receive time
  • recvtime_hh - hour of receive time
  • recvtime_mm - minute of receive time
  • recvtime_ss - second of receive time
  • elapsed - elapse time (session time in seconds. available for traffic log only, "" otherwise)
  • direction - client-to-server or server-to-client (available for threat, data filtering and URL log only, "" otherwise)
  • suser - source user
  • duser - destination user
  • szone - source zone
  • dzone - destination zone
  • ingress - ingress interface
  • egress - egress interface

 

To enable the log link feature, use the following CLI commands:

# set deviceconfig system log-link VirusTotal.Src url https://www.virustotal.com/en/ip-address/{src}/information

# set deviceconfig system log-link VirusTotal.Dst url https://www.virustotal.com/en/ip-address/{dst}/information

Example URL: https://www.virustotal.com/en/ip-address/91.220.163.35/information/

 

Running the above commands using the example URL creates 2 log-links to VirusTotal in the Log Details window (one for the source IP and one for the destination IP):

log-links-vt.png

Multiple links can be set and all show up at the bottom of the log detail window.

 

Note: The log link configuration is not synchronized between device pairs in a High Availability (HA) environment. Therefore, log link configuration must be manually performed on both Active and Passive boxes.

 

owner: mjacobsen
Tags (6)
Comments

To get the ? pasted in properly, you can either paste the above in two sections with a ^V? in the middle, or you can turn on cli scripting mode before pasting the whole thing in.

it also works with using quotes :smileyhappy:

FYI this is broken in 6.0, I just tested 6.0.4 and the Log Links section won't show up in traffic logs.

This behavior should be fixed in PAN OS 6.0.5.

Does not work if you have spaces in the log link name.  Use underscores or dashes.  

Does not work on Panorama, does it? I wasn't successful with Panorama.

Does it worksfrom Panorama?  or need to  setup individual firewall?

Looks like it is individual firewalls. We just did it on 2 of our HA firewalls and it was not showing anything in the Panorama logs but if you went to the firewall via the context the logs would show up there.

I have configured it for Panorama however I dont see any links in the logs. Why cant it work for Panorama? We use Panorama only for analysis.

Be great if we could also put an indentifier unique to the event into the URL also, something like the Session ID, Application and Virtual System name.  This would allow the construction of a string that provides some context to the user as to the source event.