Sending traffic logs with Syslogs (UDP) from PA-440 -> Collector Server in Azure -> LimaCharlie organization not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sending traffic logs with Syslogs (UDP) from PA-440 -> Collector Server in Azure -> LimaCharlie organization not working

L1 Bithead

I am trying to send Syslog from my PA-440 to a LimaCharlie organization.

 

This is the setup

 

PA-400 --Syslog--> Virtual Machine in Azure running Ubuntu with LimaCharlie Adapter --HTTPS--> LimaCharlie.io

 

This is what I have done in the PA-440

 

1. Objects -> Log Forwarding and
Add a profile
 
Log fowarding.png
 
  • Name: vm-collectorserver-prod

  • Syslog server: {Public IP from Azure}

  • Port number: 514

  • Format: BSD

  • Facility

 

I named the profile "LFP-Logs to LimaCharlie".

 

Log Fowarding profile.png

 

2. Policies
 -> Security

 
Actions -> Log Forwarding: LFP-Logs to LimaCharlie
 
Security Policy Rule.png
 

 

This is what I have done in Azure

 

I created a VM with latest Ubuntu Server.
I opened port 514 UDP.

Azure.png

 

Next I installed LimaCharlie Adapter on it which is working fine:

 

LimaCharlie Adapter.png

 

I tried to send a syslog message to it which came through to the LimaCharlie organization, meaning that the collector server can receive syslog:

 

 

logger -p 0 -n 1.2.3.4 "This is only test message ----- remote"

Screenshot from LimaCharlie.io:

LimaCharlie.io.png

 

Now I am a bit lost.. What should I try next in order to make sure that logs are sent from the Palo Alto firewall to my collector server in Azure?

3 REPLIES 3

L2 Linker

Hello @SoloSigma 

I will verify the following:

  1. Check the traffic logs on the Monitor tab to see if any traffic is being denied.

  2. If no traffic logs are found, check the session browser logs (clear the session if needed).

Regards

Jorge Pomachagua
PCNSE, PCNSC.

I have checked the traffic logs and all has Action=allow.

 

 

Traffic log page 1Traffic log page 1Traffic log page 2Traffic log page 2

L2 Linker

@SoloSigma 

 

Can you verify if there is a NAT source IP address for the packets? Also, can you display the columns for bytes sent and bytes received?

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.
  • 313 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!