Forwarding logs to MS Sentinel

@SCantwell_IM : Thanks for that. Was only not sure about MS Sentenial. So, if it accepts syslog msgs then I should be fine.

@SCantwell_IM : the issue is, through log forwarding all the data from TRAFFIC, CONFIG is reaching the MS Sentential except for DATA filtering. Below is the config we did for the data filtering (CEF- style Log Format is copied)

PA version: 10.1.4-h4

@MP18 

Hi @Pras ,

I would suggest you to validate your Data Logs format. I had issues with copy-pasting from this PDF file - there were some non-printable characters when copy from the PDF. I would suggest you to paste format into text editor and check enable "show all characters" (I personally prefer NotePad++.

We don't forward data logs to Sentinel (yet), but below is what we have in our FWs (without any extra chars)

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSRuleUUID=$rule_uuid

Thanks a lot, @aleksandar.astardzhiev : will follow this too and update 

Hi @Pras 

I don't expect FW being "dropping" the logs, for me it is more likely for the Azure to drop them because they are failing to match the CEF format. On the CEF collector there is regex pattern which if not matched log will not be forwarded to Sentinel.

You could try to run a packet capture on the firewall to confirm that Data Filtering logs. You can use the tcpdump https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS and filter based on syslog collector address.

Note that there is no way to capture only data filtering logs, so depending on your traffic your capture could filled up with traffic logs. So you could consider doing this when there is less traffic and if possible to trigger data filtering log, so to be sure that there is such event during the capture.