Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama system logs -> Sending to Slack via HTTP profile -> NEED TO SEND PANORAMA DEVICE HOSTNAME

L2 Linker

I am using an HTTP profile to send PANORAMA CRITICAL SYSTEM events to Slack. The integration is working well. 

 

 

My Panoramas are an A/P HA cluster. The issue that I have is that I'm unable to delineate the device names via the HTTP profile payload (because the HTTP profile payload gets duplicated between both the active and the passive device).

 

 

Here's my HTTP profile SYSTEM payload:

 

 

{"text": "*Panorama System Log*\n

*Device Name*:$device_name\n

*Receive Time*: $receive_time *Severity:* $severity *Type*: $subtype\n

*Log Message:* $opaque"}

 

 

 

This works well except for the $device_name variable (variable i.e.: system log field).  For my Panorama instance, the $device_name returns IP address 1.1.1.1. I would expect it to return the device's hostname. 

 

 

In reviewing the System log fields documentation, https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo... 

 

 

the field "device_name" is described as "the hostname of the firewall on which the session was logged". The key word here is "firewall" as this does not seem to function correctly for Panorama. 

 

 

In a nutshell, I want to include the Panorama hostname (or Panorama mgmt IP address) within the log(alert) output. That way I know which device in the HA pair is generating the log/alert. For a Panorama A/P HA pair, the HTTP profile payload is duplicated across both devices, and therefore I cannot hard code the device name in the payload, I need to use a variable (i.e.: system log field name). Does anybody know how I can get the Panorama hostname or mgmt IP address to show up in output? How would I build the HTTP Profile SYSTEM payload? Any ideas are appreciated. Thanks! 

 

 

 

 

 

 

2 REPLIES 2

L7 Applicator

I know you say that the Device name does not show up properly, but what about the serial #? 

"Serial Number (serial)"

Is it showing up? and is that unique?

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hi @jdelio Thanks for responding. 

 

I tried this during my testing. When I send the serial number ($serial), both the Active and the Passive Panorama return the same 10-digit number. If I search the config for this 10-digit number (show | match <number>) I can't find a record of the number anywhere in the config.

 

FYI both my Panorama serial numbers are 12-digit numbers. 

  • 2275 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!