Using variable for PANOS version when using CEF (Arcsight)?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using variable for PANOS version when using CEF (Arcsight)?

L6 Presenter

According to https://live.paloaltonetworks.com/docs/DOC-2835 the (current) certified formats for use with CEF is:

Traffic

CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno

Threat

CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action msg=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype

Config

CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno

System

CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $eventid|$type $eventid|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$fmt externalId=$seqno

HIP Match

CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $hip|$type $hiptype|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno

A drawback with the above is that the software version field is hardcoded into 4.1.0. Which means that each time the PANOS is updated the technician must update the CEF strings (which will most likely fail once in a while).

Is there a reason for why there is no $version available or is it possible that such can show up if I file this as a feature request towards my sales engineer (or did I just miss which variable to use)?

1 accepted solution

Accepted Solutions

L6 Presenter

Currently there is no variable for the Pan-OS version and hard coding is the only way. There is a feature request open for this. Please check with your Sales so that this gets implemented in the future.


Thanks,
Sandeep T

View solution in original post

4 REPLIES 4

L6 Presenter

Currently there is no variable for the Pan-OS version and hard coding is the only way. There is a feature request open for this. Please check with your Sales so that this gets implemented in the future.


Thanks,
Sandeep T

Hi
Is there any non-CEF format standard in making the Palo Alto firewalls (version 4.1.x) to successfully communticate with the HP Arcsight servers:

Currently we are trying the following but getting inconsistent results per firewall.

Grateful if you can advise please.

Traffic 

1,$receive_time,$serial,$type,$subtype,1,$receive_time,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$

dstuser,$app,$vsys,$from,$to,$inbound_if,$outbound_if,$logset,$receive_time,$sessionid,$repeat

cnt,$sport,$dport,$natsport,$natdport,$flags,$proto,$action,$bytes,$bytes,0,$pkts_sent,$receive_

time,$elapsed,$category,0,$seqno,$actionflags,$srcloc,0,$pkts_received,$pkts_sent,traffic:$action

:$risk-of-app,$bytes_sent,$bytes_received

The traffic information to the Arcsight server comes as unclassified and the device name is missing.

I look forward to hearing from you shortly.

Many thanks

Mandip M

I guess using CEF is the way to go if you want logs from your PA into your ArcSight.

You could of course create some flexconnector parser (I think its called) but you would need to do this manually and I dont know how this would handle any whitespace characters (not to mention that you need to verify this for each major version of PA).

But sure using a more "raw" format of the logging would save quote a few bytes compared to the CEF format. With CEF you have an estimated overhead of 604 bytes per logmessage which is then thrown away by the logcollector. That is approx 48.32Mbit/s of unecessary stuff on the network link at a rate of 10.000 msgs/sec.

Would be nice if PA could create an official parser lib for the flexconnector (or whatever its called) which is then maintained and tested for various major versions.

Anyone who knows of any status regarding panos_version variable for custom syslog formats aswell as status for non-CEF formats to send data from PA to an Arcsight installation (that is avoiding the CEF overhead)?

  • 1 accepted solution
  • 3811 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!