05-30-2018 06:18 AM
Wondering if anybody has gotten the syslog forwarding working from panorama traffic logs to Microsofts Cloud App security.
Have followed every guide I can find and I have logs passing to the MS log collector, however the syslog connection drops regularly, and despite getting some traffic showing in Cloud Discovery on the CAS dashboard it's approx.2% of total network traffic. Not from any specific system or source just a random .2%.
I feel like it's the formatting of the logs being sent or the handeling on the collector but the vendors just blame each other so it's hard to nail down.
anyone with experience getting the two to play nice would be appreciated!
11-05-2021 09:25 AM
We're on v.9.1.8 for Panorama.
I've configured both ways in the MCAS Log collector settings - "PA Series Firewall" & "PA Series Firewall LEEF".
We've built the MCAS Log Collector based on the Ubuntu/Docker.
The Palos are successfully sending to the MCAS-LogCollector server.
The MCAS-LogCollector is successfully sending "message" files upto MCAS, but it's not successfully parsing the file.
See the sample logs that M$ provides with each of these - that I've attached here.
These don't match our formats.
Looks like we'll need to build a Custom Format on the Palo side???
https://docs.microsoft.com/en-us/cloud-app-security/custom-log-parser
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring.html
03-22-2022 05:55 PM
I'm going through this now and having trouble with the MCAS/MDCA Log Collector Container parsing the logs forwarded from Panorama 9.1 as it won't send to cloud.
I'm working with Microsoft Support however they haven't been able offer any assistance apart from pointing out Panorama is sending it's hostname in Syslog which isn't supported in the 'PA Series Firewall' Data Source format. Unfortunately disabling this setting isn't an option as it's used for an existing SIEM integration.
The 'PA Series Firewall LEEF' Data Source format sample does show the Syslog sender hostname so i've changed to LEEF however still not working.
I'll update if I get resolution on this.
09-07-2022 10:40 AM
Was anyone ever able to figure this out? I'm fighting with the same issue. Thanks!
11-04-2022 06:56 AM
Try to use TLS or TCP as receiver type.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
