Palo Alto Threat Events Not forwarded

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Threat Events Not forwarded

L3 Networker

Hi all,

 

We are unable to capture below logs in syslog, but in Firewall it appears to be forwarding it to Syslog. Logs are being forwarded, but some fields are empty.fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.pngw13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png

7 REPLIES 7

Community Team Member

Hi @karthikeyanB,

 

As your screenshot indicates you have quite some custom entries.

You might want to look into customizing the log format :

 

Custom-logevent-format

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

@karthikeyanB wrote:

Hi all,

 

We are unable to capture below logs in syslog, but in Firewall it appears to be forwarding it to Syslog. Logs are being forwarded, but some fields are empty.fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.pngw13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png



This is not helping

L3 Networker

This is not helping

Community Team Member

Hi,

 

What log format are you using ? CEF, LEEF ?

 

If default isn't doing the trick, have you tried customizing as shown in the documents ?

 

CEF FORMAT:

 

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-
of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src
dst=$dst sourceTranslatedAddress=$natsrc
destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser
duser=$dstuserapp=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source
Zone cs4=$from cs5Label=Destination Zone cs5=$to
deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if
cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid
cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport
destinationTranslatedPort=$natdport flexString1Label=Flags
flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL
Category cs2=$category flexString2Label=Direction flexString2=$direction
PanOSActionFlags=$actionflags externalId=$seqnocat=$threatid
fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2
PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name
dvchost=$device_namePanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid
PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id
PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel
PanOSThreatCategory=$thr_category PanOSContentVer=$contentver

 

 

 

LEEF FORMAT:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid|
ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_
time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|
SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|
srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|
Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity|
Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc|
DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|
Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid|
TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id|
ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category|
ContentVer=$contentver

 
 
Cheers !
-Kiwi.
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi,

 

We are using PAN OS 8.0.13 but the document shows  pan os 7.1! 

 

is not a issue?

 

Regards

Karthikeyan

L3 Networker

Hi,

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEcCAK

 

i found the above kb article for 8.0.X is that ok !

 

Best Regards

Karthikeyan Balamurugan

 

We are using CEF format

  • 3323 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!