Setting up syslog forwarding from Panorama to Microsoft Cloud app security

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting up syslog forwarding from Panorama to Microsoft Cloud app security

L0 Member

Wondering if anybody has gotten the syslog forwarding working from panorama traffic logs to Microsofts Cloud App security.

 

Have followed every guide I can find and I have logs passing to the MS log collector, however the syslog connection drops regularly, and despite getting some traffic showing in Cloud Discovery on the CAS dashboard it's approx.2% of total network traffic. Not from any specific system or source just a random .2%.

 

I feel like it's the formatting of the logs being sent or the handeling on the collector but the vendors just blame each other so it's hard to nail down.

 

anyone with experience getting the two to play nice would be appreciated!

 

 

5 REPLIES 5

L0 Member

Did you ever get this figured out?

L0 Member

We're on v.9.1.8 for Panorama.

I've configured both ways in the MCAS Log collector settings - "PA Series Firewall" & "PA Series Firewall LEEF".

We've built the MCAS Log Collector based on the Ubuntu/Docker.

The Palos are successfully sending to the MCAS-LogCollector server.
The MCAS-LogCollector is successfully sending "message" files upto MCAS, but it's not successfully parsing the file.

 

See the sample logs that M$ provides with each of these - that I've attached here.
These don't match our formats.   

Looks like we'll need to build a Custom Format on the Palo side???

 

 

https://docs.microsoft.com/en-us/cloud-app-security/custom-log-parser

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring.html

https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/configure-palo-alto-panorama-for...

I'm going through this now and having trouble with the MCAS/MDCA Log Collector Container parsing the logs forwarded from Panorama 9.1 as it won't send to cloud.  

I'm working with Microsoft Support however they haven't been able offer any assistance apart from pointing out Panorama is sending it's hostname in Syslog which isn't supported in the 'PA Series Firewall' Data Source format.  Unfortunately disabling this setting isn't an option as it's used for an existing SIEM integration.

The 'PA Series Firewall LEEF' Data Source format sample does show the Syslog sender hostname so i've changed to LEEF however still not working.

I'll update if I get resolution on this.

Was anyone ever able to figure this out? I'm fighting with the same issue. Thanks!

Try to use TLS or TCP as receiver type. 

Farakh Numan Rafiquie
  • 10438 Views
  • 5 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!