This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Sending traffic logs with Syslogs (UDP) from PA-440 -> Collector Server in Azure -> LimaCharlie organization not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Sending traffic logs with Syslogs (UDP) from PA-440 -> Collector Server in Azure -> LimaCharlie organization not working

SoloSigma
L1 Bithead

‎01-17-2024 11:10 AM - edited ‎01-17-2024 11:13 AM

I am trying to send Syslog from my PA-440 to a LimaCharlie organization.

 

This is the setup

 

PA-400 --Syslog--> Virtual Machine in Azure running Ubuntu with LimaCharlie Adapter --HTTPS--> LimaCharlie.io

 

This is what I have done in the PA-440

 

1. Objects -> Log Forwarding and
Add a profile
 
Log fowarding.png
 

  • Name: vm-collectorserver-prod

  • Syslog server: {Public IP from Azure}

  • Port number: 514

  • Format: BSD

  • Facility

 

I named the profile "LFP-Logs to LimaCharlie".

 

Log Fowarding profile.png

 

2. Policies
 -> Security

 
Actions -> Log Forwarding: LFP-Logs to LimaCharlie
 
Security Policy Rule.png
 

 

This is what I have done in Azure

 

I created a VM with latest Ubuntu Server.
I opened port 514 UDP.

Azure.png

 

Next I installed LimaCharlie Adapter on it which is working fine:

 

LimaCharlie Adapter.png

 

I tried to send a syslog message to it which came through to the LimaCharlie organization, meaning that the collector server can receive syslog:

 

 

logger -p 0 -n 1.2.3.4 "This is only test message ----- remote"

Screenshot from LimaCharlie.io:

LimaCharlie.io.png

 

Now I am a bit lost.. What should I try next in order to make sure that logs are sent from the Palo Alto firewall to my collector server in Azure?

0 Likes Likes
3 REPLIES 3

jpomachagua
L3 Networker

‎01-18-2024 01:25 PM

Hello @SoloSigma 

I will verify the following:

  1. Check the traffic logs on the Monitor tab to see if any traffic is being denied.

  2. If no traffic logs are found, check the session browser logs (clear the session if needed).

Regards

Jorge Pomachagua
PCNSE, PCNSC.
0 Likes Likes

SoloSigma
L1 Bithead
In response to jpomachagua

‎01-23-2024 01:08 AM

I have checked the traffic logs and all has Action=allow.

 

 

Traffic log page 1Traffic log page 1Traffic log page 2Traffic log page 2

0 Likes Likes

jpomachagua
L3 Networker

‎01-23-2024 08:59 AM

@SoloSigma 

 

Can you verify if there is a NAT source IP address for the packets? Also, can you display the columns for bytes sent and bytes received?

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.
0 Likes Likes
  • 994 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks