How can I send Palo Alto Firewall Syslog as JSON format to a Syslog Server?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can I send Palo Alto Firewall Syslog as JSON format to a Syslog Server?

L1 Bithead

 

I have purcased a PA-440 Palo Alto Firewall. I want to send Syslog from it to a Ubuntu Server with JSON format.


I am sending Syslog from the firewall to a Ubuntu Server using "Device > Server Profiles > Syslog":

02_syslog_server_profile_traffic.png
The syslogs that I receive looks like this, and is CSV(?) - not JSON:

<14>Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0


I have managed to send JSON traffic using Fortigate firewall, so I would imagine that Palo Alto could do the same.

2 REPLIES 2

Community Team Member

Hi @SoloSigma ,

 

Currently, there isn't native support for sending syslog in JSON. You can try retrieving JSON logs via API

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Are there any plans to make it an option to send Syslogs as JSON?

  • 793 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!