- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-12-2021 11:47 AM - edited 05-12-2021 11:50 AM
I am using an HTTP profile to send PANORAMA CRITICAL SYSTEM events to Slack. The integration is working well.
My Panoramas are an A/P HA cluster. The issue that I have is that I'm unable to delineate the device names via the HTTP profile payload (because the HTTP profile payload gets duplicated between both the active and the passive device).
Here's my HTTP profile SYSTEM payload:
{"text": "*Panorama System Log*\n
*Device Name*:$device_name\n
*Receive Time*: $receive_time *Severity:* $severity *Type*: $subtype\n
*Log Message:* $opaque"}
This works well except for the $device_name variable (variable i.e.: system log field). For my Panorama instance, the $device_name returns IP address 1.1.1.1. I would expect it to return the device's hostname.
In reviewing the System log fields documentation, https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...
the field "device_name" is described as "the hostname of the firewall on which the session was logged". The key word here is "firewall" as this does not seem to function correctly for Panorama.
In a nutshell, I want to include the Panorama hostname (or Panorama mgmt IP address) within the log(alert) output. That way I know which device in the HA pair is generating the log/alert. For a Panorama A/P HA pair, the HTTP profile payload is duplicated across both devices, and therefore I cannot hard code the device name in the payload, I need to use a variable (i.e.: system log field name). Does anybody know how I can get the Panorama hostname or mgmt IP address to show up in output? How would I build the HTTP Profile SYSTEM payload? Any ideas are appreciated. Thanks!
05-14-2021 03:02 PM
I know you say that the Device name does not show up properly, but what about the serial #?
"Serial Number (serial)"
Is it showing up? and is that unique?
05-17-2021 07:29 AM
Hi @jdelio Thanks for responding.
I tried this during my testing. When I send the serial number ($serial), both the Active and the Passive Panorama return the same 10-digit number. If I search the config for this 10-digit number (show | match <number>) I can't find a record of the number anywhere in the config.
FYI both my Panorama serial numbers are 12-digit numbers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!