Syslog configuration to Sumo Logic in PAN-OS 7.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Syslog configuration to Sumo Logic in PAN-OS 7.1

L2 Linker

 

HI, all.

I'm looking for some reference of integration with Sumo Logic for Syslog setting.

 

My customer wants to receive logs from PA FW.

I'm looking at guides both Sumo logic web site and Live community in here,

but I think there's more information needed. Or I'd configured in wrong way.

 

Syslog Server: syslog.collection.us2.sumologic.com

Transport: TCP TLS Port(Set as 'SSL', when I set as 'TCP' then connection error occured)

Port: 6514

 

syslog-configuration-file.PNG

1-1. Syslog Server Profile

 

system-log-file.PNG

1-2. System Log; connection error (When I set 'TCP' instead of 'SSL' at 'Transport' tap in 1-1)

 

Customer said, I think I should user 'Token' below in like 1-3, but I think somethings are wrong.

token-file.PNG

1-3. Sample - Token/Host/TCP TLS Port

 

####

After I configured like 1-1, and set log settings in system and policies

I could see the session connected in session browser without not disconnection.

But, there were no logs in Sumo Logic Server

 

I think there's more configured needed for intergrated well.

I'm suspecting Syslog Server Address problem, and some addtional configuration for SSL related.

ex) Generate Certificate(but, there was no option of 'Secure Syslog check box' in PAN-OS 7.1), and so on.

 

If someone did this integration, Sumo Logic with PAN-OS 7.1

Please let me know the solution. 

 

Have a great day 😄

 

1 accepted solution

Accepted Solutions

L2 Linker

Solved.

I should've noticed that I needed to install 'installed collector' as a syslog server.

I misunderstood.

and TCP/UDP supported.

syslog-monitor.png

View solution in original post

5 REPLIES 5

L2 Linker

Solved.

I should've noticed that I needed to install 'installed collector' as a syslog server.

I misunderstood.

and TCP/UDP supported.

syslog-monitor.png

Customer asked another one, deploying in 'Hosted Collector'

Hosted Collector needs for rsyslog or syslog-ng, I should look into it.

I think it is more complecated to configure. Anyway. 

Have a great day

Hi!
I'm currently facing the same issue. I followed SL documentation and I wasn't able to forward any logs (status always "None" from SL).

Could you please share the steps (or document) that you followed in order to solve this? Did you change transport to TCP/UDP instead of SSL?

 

Many thanks! 

L0 Member

want to make hosted collector works. need to do the below setup. 

By default, the PA syslog only support 1.2 forced. need to skip. 

https://weberblog.net/palo-alto-syslog-via-tls/

configure>

set syslogng-ssl-conn-validation explicit OCSP skip CRL skip EKU skip
set syslogng-ssl-conn-validation all-cons skip

 

syslogng ssl connection validation settings:
all-conns:skip
crl:skip
ocsp:skip
eku:skip

This worked fantastic for me but I have one question:  After making this change, is it permanent?  I see no way to commit or save it.

  • 1 accepted solution
  • 5103 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!