PanOS 11 Logs not recognized via Syslog

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PanOS 11 Logs not recognized via Syslog

L1 Bithead

Hello,

 

We are currently using Expedition 1.2.49 with a PanOS 11 Firewall and we are sending the logs to the Expedition Server via Syslog.

 

After some initial hiccups with setting up the Firewall for Syslog recieving, which we solved ourselves by enabling syslog via iptables (this should be added to the LogAnalysisGuide):

sudo iptables -I INPUT 1 -p udp --dport 514 -j ACCEPT
sudo iptables -I INPUT 1 -p tcp --dport 514 -j ACCEPT
sudo sh -c "iptables-save > /etc/iptables/rules.v4"

 

In the current Expedition version we are running, it seems that the PanOS log format is only detected when there is a specific header in the CSV file on the first line. This is not the case for syslog files, therefore the detection logic with regex (that is implemented in discoverTrafficVersion in the /var/www/html/libs/file_functions.php File) is not working and is showing unsupported. The regex for PanOS 11 is completely missing in this file.

 

If you manually add the header for version 11.0.0 to the traffic log files found in /var/www/html/libs/file_functions.php, the detection is working fine:

MicrosoftTeams-image (5).png

 

Due to this version detection not working, the ML "fails", since it will never find logs that are in a supported format and it will not process any logs. Therefore /tmp/error_logCoCo will show no files that are processed, since unknown versions, are not added to the log output (It took us a while to get this info).Therefore it will always look like as if ML is not finding any logs, even though they are there and in the correct folder, permissions are correct and so on.

 

As a workaround we manually edited the PHP file, to mark the version as 11.0.0 instead of unknown.

 

Is there a timeline when PanOS 11 will be fully supported in Expedition?

 

Thanks and kind regards

1 REPLY 1

L6 Presenter

Hi @AlexHalbarth We need an example of the syslog file for further testing, can you please send an sample syslog file in csv to fwmigrate@paloaltonetworks.com

  • 1409 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!