Slack

by rkemburu on ‎08-17-2017 10:24 AM (7,188 Views)

PAN-OS 8.0 HTTP Log Integration with Slack

 

This document assumes that you have already created a Slack team.  This sample integration was done with a free Slack account. 

 

Once you have created your Slack team, login to your slack account and add an “Incoming Webhooks” custom integration on the slack website.  During that configuration, you will select the channel where the message will be broadcast (#general in this example).  You will also receive a Webhook URL, and an opportunity to customize the Name and Icon for the source of the message. 

 

Here’s a screenshot of the Incoming Webhooks configuration on the slack website: 

 

 

Picture71.png

  

Next, configure an HTTP Server Profile in PAN-OS 8.0.  Use the first part of the Webhooks URL in the “Address” field.  In this example, it is “hooks.slack.com” using HTTPS on 443 with the POST HTTP method.  Username/Password are not required for this particular integration. 

Picture72.png

 

 Personally, I was interested in specific “system” events, so this document focuses on the system-level logs.  Similar integrations could easily be done with traffic, threat, and/or URL logs. 

Picture73.png

  

This is what the System format looks like:

Picture74.png

 

 

 

In the URI Format box, provide the URI portion of the Slack-provided Incoming Webhooks URL, beginning with /service

 

The content-type must be application/json

 

Leave the Parameters field blank.

 

The Payload input box accepts the default Slack-preferred JSON format as documented here:  https://api.slack.com/incoming-webhooks

 

No additional escaping is required to add the PAN-OS provided variables to the payload.  In this example, I’m using a rich-formatted “attachments” message from Slack, although the basic format works perfectly as well. 

 

Here are two samples that you should be able to cut&paste:

 

Rich Format Message:

 

{

    "attachments": [

        {

            "fallback": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------",

            "text": "$time_generated: <https://pa0.example.com|pa0> reports $severity $subtype event:\n$opaque",

            "color": "danger"

        }

    ]

}

 

 

Simple Format Message:

 

{

    "text": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------"

}

 

Since I was mainly interested in system-level events, I tied it all together in the Device / Log Settings tab.  I haven’t narrowed-down exactly what I want to see in the slack channel, but for the purposes of this test, I wanted to see non-informational ha or crypto events, so used the following system log filter:

 

(( subtype eq ha ) or (subtype eq crypto)) and ( severity neq informational )

 

I matched that with the “Slack System Event 1” created earlier.  The configuration looks like this:Picture75.png

 Here’s what I see on my desktop in the Slack app when I initiate a manual HA state change via the PAN-OS GUI:Picture76.png

 

 

 

Looks good on the phone too:Picture77.pngCreated by Jared Valentine - Systems Engineer

Comments
by whofstetter
on ‎12-29-2017 06:49 AM

Nice articel! I just tried to follow theser steps, unfortunately my PA-200 say:

Failed to send HTTP request: hooks.slack.com: Peer certificate cannot be authenticated with given CA certificates
 
Not sure what's the rootcause, I used that slack account with NTOP before and just verified with curl from a Linux machine that the webhook does work.
 
I'll keep trying :-)
by Sath
on ‎04-26-2018 01:07 AM

what PAN OS version you are using?

by whofstetter
on ‎04-26-2018 01:22 AM

Sorry, didn't repor


@rkemburu wrote:

PAN-OS 8.0 HTTP Log Integration with Slack

 

This document assumes that you have already created a Slack team.  This sample integration was done with a free Slack account. 

 

Once you have created your Slack team, login to your slack account and add an “Incoming Webhooks” custom integration on the slack website.  During that configuration, you will select the channel where the message will be broadcast (#general in this example).  You will also receive a Webhook URL, and an opportunity to customize the Name and Icon for the source of the message. 

 

Here’s a screenshot of the Incoming Webhooks configuration on the slack website: 

 

 

Picture71.png

  

Next, configure an HTTP Server Profile in PAN-OS 8.0.  Use the first part of the Webhooks URL in the “Address” field.  In this example, it is “hooks.slack.com” using HTTPS on 443 with the POST HTTP method.  Username/Password are not required for this particular integration. 

Picture72.png

 

 Personally, I was interested in specific “system” events, so this document focuses on the system-level logs.  Similar integrations could easily be done with traffic, threat, and/or URL logs. 

Picture73.png

  

This is what the System format looks like:

Picture74.png

 

 

 

In the URI Format box, provide the URI portion of the Slack-provided Incoming Webhooks URL, beginning with /service

 

The content-type must be application/json

 

Leave the Parameters field blank.

 

The Payload input box accepts the default Slack-preferred JSON format as documented here:  https://api.slack.com/incoming-webhooks

 

No additional escaping is required to add the PAN-OS provided variables to the payload.  In this example, I’m using a rich-formatted “attachments” message from Slack, although the basic format works perfectly as well. 

 

Here are two samples that you should be able to cut&paste:

 

Rich Format Message:

 

{

    "attachments": [

        {

            "fallback": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------",

            "text": "$time_generated: <https://pa0.example.com|pa0> reports $severity $subtype event:\n$opaque",

            "color": "danger"

        }

    ]

}

 

 

Simple Format Message:

 

{

    "text": "$time_generated $device_name reports $severity $subtype event:\n $opaque\n--------"

}

 

Since I was mainly interested in system-level events, I tied it all together in the Device / Log Settings tab.  I haven’t narrowed-down exactly what I want to see in the slack channel, but for the purposes of this test, I wanted to see non-informational ha or crypto events, so used the following system log filter:

 

(( subtype eq ha ) or (subtype eq crypto)) and ( severity neq informational )

 

I matched that with the “Slack System Event 1” created earlier.  The configuration looks like this:Picture75.png

 Here’s what I see on my desktop in the Slack app when I initiate a manual HA state change via the PAN-OS GUI:Picture76.png

 

 

 

Looks good on the phone too:Picture77.pngCreated by Jared Valentine - Systems Engineer



t back - It does work just fine. As far as I remember I suffered from a cert issue. Regards, Walter

by Sath
on ‎04-26-2018 01:26 AM

ya that was bug earlier, instead of using default trust certificates, it used device certificates to connect to hooks.slack.com.
now that is fixed.

by ArienSeghetti
on ‎04-29-2018 09:43 AM

What kind of certs do you need on the Firewall in order to do this slack integration? 

by Alex_Gomez
on ‎05-19-2018 03:14 AM

For some reason i am confiruing everything correctly but it does not like using this 

$opaque\n if i remove it and test test by sending log to slack it works any ideas?

by HJames
on ‎06-14-2018 03:47 AM

@Alex_Gomez This is fixed in PAN-OS 8.1.2

Ask Questions Get Answers Join the Live Community
Labels
Contributors