The syslog miner can be used to extract indicators from logs coming from Palo Alto Networks next-generation firewall platforms.
1. Adding a syslog Miner
In CONFIG, click on the browse prototypes button and select the stdlib.syslogMiner prototype.
Inside the prototype, click on CLONE to create a new node based on the prototype.
2. Configuring the Miner
Specify a name for the new Miner, enable the OUTPUT and click OK
3. Connecting the Miner
Connect thenew Miner to the inboundaggregator.
And press COMMIT.
3. Configuring syslog forwarding on PAN-OS
Please refer to the PAN-OS Administration Guide for instructions on how to configure log forwarding to a syslog server on PAN-OS (Software End-of-Life (EoL)). By defeault the syslog server on the VM listens for PAN-OS syslog messages on port tcp/13514.
4. Checking if syslog messages are received
In NODES, click on the new syslog Miner and select the STATS tab. Check the SYSLOG.PROCESSED metric, this counter is incremented every time the Miner receives a syslog message.
A full list of parameters can be found in the following python script: