Palo Alto Threat Events Not forwarded

L2 Linker

Palo Alto Threat Events Not forwarded

Hi all,

 

We are unable to capture below logs in syslog, but in Firewall it appears to be forwarding it to Syslog. Logs are being forwarded, but some fields are empty.fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.pngw13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png

Community Team Member

Re: Palo Alto Threat Events Not forwarded

Hi @karthikeyanB,

 

As your screenshot indicates you have quite some custom entries.

You might want to look into customizing the log format :

 

Custom-logevent-format

 

Cheers !

-Kiwi.

 
L2 Linker

Re: Palo Alto Threat Events Not forwarded


@karthikeyanB wrote:

Hi all,

 

We are unable to capture below logs in syslog, but in Firewall it appears to be forwarding it to Syslog. Logs are being forwarded, but some fields are empty.fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.pngw13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png



This is not helping

Tags (1)
L2 Linker

Re: Palo Alto Threat Events Not forwarded

This is not helping

Community Team Member

Re: Palo Alto Threat Events Not forwarded

Hi,

 

What log format are you using ? CEF, LEEF ?

 

If default isn't doing the trick, have you tried customizing as shown in the documents ?

 

CEF FORMAT:

 

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-
of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src
dst=$dst sourceTranslatedAddress=$natsrc
destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser
duser=$dstuserapp=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source
Zone cs4=$from cs5Label=Destination Zone cs5=$to
deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if
cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid
cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport
destinationTranslatedPort=$natdport flexString1Label=Flags
flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL
Category cs2=$category flexString2Label=Direction flexString2=$direction
PanOSActionFlags=$actionflags externalId=$seqnocat=$threatid
fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2
PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name
dvchost=$device_namePanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid
PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id
PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel
PanOSThreatCategory=$thr_category PanOSContentVer=$contentver

 

 

 

LEEF FORMAT:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid|
ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_
time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|
SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|
srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|
Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity|
Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc|
DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|
Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid|
TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id|
ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category|
ContentVer=$contentver

 
 
Cheers !
-Kiwi.
L2 Linker

Re: Palo Alto Threat Events Not forwarded

Hi,

 

We are using PAN OS 8.0.13 but the document shows  pan os 7.1! 

 

is not a issue?

 

Regards

Karthikeyan

L2 Linker

Re: Palo Alto Threat Events Not forwarded

Hi,

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEcCAK

 

i found the above kb article for 8.0.X is that ok !

 

Best Regards

Karthikeyan Balamurugan

 

L2 Linker

Re: Palo Alto Threat Events Not forwarded

We are using CEF format

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!