- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-10-2022 06:26 AM
Here’s the problem statement:
1] If Syslog UDP 514 is configured in PAN FW on-prem and vm-series, There were missing logs in AZ Sentinel, Incomplete logs is experienced and there were packets fragmentation.
2] MS Sentinel support recommended to changed syslog transport UDP to TCP 514.
3] If Syslog TCP 514 is configured in PAN FW, On-prem able to send syslog in Azure Sentinel and confirmed from Azure sentinel Azure side.
However all VM-series logs were not detected in Azure Sentinel, although FW is sending syslog traffic.
02-16-2022 12:04 AM
Hi @nurulams0 ,
From my knowledge you cannot ship syslogs directly to Azure Sentinel (LogAnalytics), you need to have "Microsoft Monitoring Agent" running on a Linux server. What this agent is actually doing is
- it running syslog server that will receive logs from Palo FWs
- it will do some parsing and ship the logs over HTTPS to Azure LogAnalytics Workspace
It is importent to note that Azure requires logs to use CEF format in order to properly parse the logs. By default PAN FWs are not using CEF, but allows you to define custom format, so you need to manually define formatting for each log type - https://docs.paloaltonetworks.com/resources/cef.html
- Are you using same server running MS Monitoring Agent (OMS) for both on-prem and VM firewalls?
- Have you made any changes to OMS agent syslog settings to listend on different port and protocols?
- Are you able to confirm that logs are received by the server running OMS agent? I usually prefer to run tcpdump so I can see with my own eys that packets from firewall are indeed ariving.
- If they are not ariving to the syslog server, have you checked if there is no firewall in the path? Note that Palo Alto App-ID for syslog is defining different default port for syslog over TCP, so if traffic is passing over PAN FW, which is allowing syslog app on default port it is probably blocking it
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!