09-23-2024 11:06 AM
On my Ubuntu Server I receive syslogs, that may look like this:
<14>Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0I understand that there are different log types that can be sent, including
Are there any documentation that shows me how the different log types are constructed?
I need it in order to create a Regex that will convert syslog into JSON format.
09-23-2024 12:50 PM - edited 09-23-2024 12:52 PM
Hello,
Your SIEM might already be able to do this? I dont have an example that I can share, but its along similar lines of comma separated values. You could setup a simple syslog server to capture a few logs of each and then base it from there?
Here is what is shows in the help file of hte two different types of syslogs the firewall can send.
Select the value that maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 3164 (BSD format) or RFC 5424 (IETF format).
Just a few thoughts.
09-23-2024 01:16 PM
@SoloSigma wrote:
On my Ubuntu Server I receive syslogs, that may look like this:
<14>Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0I understand that there are different log types that can be sent, including
- Config
- System
- Threat
- Traffic
- URL
- Data
- WildFire
- Tunnel
- Authentication
- User-ID
- HIP Match
- Globalprotect
- Iptag
- Decryption
Are there any documentation that shows me how the different log types are constructed?
I need it in order to create a Regex that will convert syslog into JSON format.
Maybe this is what you're looking for? The LEEF fields?
https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-...
09-23-2024 11:22 PM
My SIEM tool is LimaCharlie, and it does not parse Palo Alto logs out of the box. Because of this I will have to create some Regex to convert Syslogs to JSON format.
09-24-2024 05:26 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
