Output detailed HIP logs to syslog

Reply
Highlighted
L1 Bithead

Output detailed HIP logs to syslog

Does anybody know how to output the detailed HIP match logs to syslog?

As it stands, we've got to go to Monitor > HIP Match > Magnifying Glass Icon to see them.

We'd like to send this rich data set to Splunk or another tool to write reports against. 

 

 

scresnshot.png

Highlighted
L7 Applicator

I use HIP myself and only log to panorama but there is a setting in device\log settings for HIP, have you tried this, it only displays a match and what you called the HIP check so may not be enough information.

Highlighted
L1 Bithead

I'm already sending Hip Match logs off via syslog, but it is only summary logs. It does not have the rich data that you get when you hit the magnifying glass.

 

 

Highlighted
L1 Bithead

I have the same question as starting to implement this. 

Is there a back end database or a CLI command that will output the rich info that magnifier glass provides ? I am guessing there is a way to do it since the data is there and available. Creating the HIP Objects and Profiles is good but is just basic info and is mostly on/off  for example if a system has antivirus or not, if installed or not, does not give specific info with the version and version number. 

Looking on how to pull the rich info that the magnifier glass provides. 

Help appreciated. 

Highlighted
L7 Applicator

Have a look here...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC

 

Not had chance myself as the wine doth floweth at a somewhat rapid pace...

 

a bit of scripting or api call may be required for automation.

 

 

 

 

Highlighted
Cyber Elite

@m.horne,

As @MickBall's KB article states, this is kept in a local database and isn't really exposed in an easy format to get it exported off of the firewall. The firewall's own API isn't going to be very handy in this type of situation either, given the nature of the command required to access information held in that local database. 

I would actually look at pulling in the client's GlobalProtect logs instead of dumping them from the firewall's database. That's easier to maintain and will give you the information in the exact same format if it's desired. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!