Hey @AFaugno ,
I am curious if you find solution to your problem? It seems we may experience the same think.
Starting from PanOS 9.1 GlobalProtect logging was enhanced and moved to dedicate logs type/section. Before that they were subtype of System logs. So now if we want to forward GP logs to external we need to add it to the Device -> Log Settings config and specific GP logs to be forwarded to the syslog server.
In addition under Device -> Syslog Server Profile -> Custom Format there is new type that needs to be re-formatted to use CEF format.
The bizarre think is that GlobalProtect is not defined in the CEF guide for 9.1 PAN-OS 9.1 CEF Configuration Guide (paloaltonetworks.com)
It is mentioned for 10.0 - MF_ Palo Alto Networks_NGFW_PANOS 10.0 _ArcSight_CEF_Integration_Guide
Unfortunately using GP CEF format for 10.0 in 9.1 may be a problem as we still don't see GP CEF logs in SIEM after configuring it according to above steps.
I am wondering if anyone else have similar issue.
I am writing this here if someone else face any issues with forwarding logs in CEF format.
It seems the documentation for CEF formatting here have several issues Common Event Format (CEF) Configuration Guides (paloaltonetworks.com)
1. Dedicated GlobalProtect log type was introdused in PanOS 9.1, but this type format is missing from 9.1 CEF format guide
2. GP format log can be found in 10.0 format guide, but it has several issues which could cause parsing issues and missing this type of logs in your SIEM
- GP logs were greatly enhanced in 10.0 and there are several log fields which are not supported by 9.1, so even that you can commit without issues, there is no point adding extra empty log fields
- CEF requires strict format of the prefix fields. Every log needs to start with "cef-version|vendor|product|os-version|subtype|type|severity|". GP logs doesn't really have severity, but we will need to provide something in order for the logs to be parsed correctly. As mentioned in the documentation you should use "1" for all log types for which severity is irrelevant. Most of the CEF syslog servers will run regex check to confirm proper CEF formatting before parsing the log and since severity is missing from GP log type format, those logs will not be parased and stored by your SIEM.
- Documentation is using "receive_time", but it is better to use "cef-formatted-receive_time" to be sure that all of the log timestamps are correct
- Since GP logs (at least for 9.1) doesn't really have subtype, it value will always be 0, which doesn't provide any information, I would suggest to use "eventid" in the prefix instead.
- It is a bit annoying that none of the GP log fields are actually mappted to any of the standard CEF extentions fields. This is not actually a problem, since the information is still there, but in my case grabbing the interesting information from those fields requires additional parsing.
I have played for a while and came up with GP log fromat of my own.
CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$eventid|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial fname=$portal cs1Label=Stage cs1=$stage suser=$srcuser shost=$machinename src=$public_ip cs2Label=Private IP cs2=$private_ip msg=$opaque app=$tunnel_type cs3Label=Client Version cs3=$client_ver cs4Label=Error cs4=$error cs5Label=Client OS cs5=$client_os cs6Label=Status cs6=$status cn1Label=Duration in seconds cn1=$login_duration PanOSAuthMethod=$auth_method PanOSSourceRegion=$srcregion PanOSPublicIPv6=$public_ipv6 PanOSPrivateIPv6=$private_ipv6 PanOSHostID=$hostid PanOSEndpointOSVersion=$client_os_ver PanOSCountOfRepeats=$repeatcnt PanOSQuarantineReason=$reason PanOSGPGatewayLocation=$location PanOSConnectionMethod=$connect_method PanOSConnectionErrorID=$error_code PanOSSequenceNo=$seqno PanOSActionFlags=$actionflags
You can change it according to your needs, but what is most important is to use correct prefix format, if not GP logs will not be parsed by CEF syslog server
CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$eventid|$type|1|rt=$cef-formatted-receive_time
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!