Paloalto LEEF Forwarding & Integration

You can be one step ahead in performance and time by forwarding logs generated in Palo Alto Firewall or Integrated Security Device (UTM) products to Logsign Unified SecOps Platform.

Logsign Unified SecOps Platform is fully-integrated to Palo Alto Firewall or Integrated Security Devices.

The product makes the data understandable after configuring their architecture with the high-resolution graphical tables, thanks to its user-friendly WEB interface to system administrators without log loss.

Let's see how you can direct Palo Alto's logs to Logsign Unified SecOps Platform with Leef.

1- Connect to Paloalto web interface and go to Device > Server Profiles > Syslog > Name

Ekran_Resmi_2022-05-26_16.30.29.png

2- Click on the relevant routing profile.

Ekran_Resmi_2022-05-26_16.32.05.png

3- In the Custom Log Format window, the Log Type you want to direct is selected.

Ekran_Resmi_2022-05-26_16.33.01.png

4- In the Config Log Format field, the pattern given below is written in the relevant field completely (by paying attention to the blanks).

Config:

Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|src=$host|virtualsystem=$vsys|msg=$cmd|srcuser=$admin|client=$client|result=$result|path=$path|sequence=$seqno|actflags=$actionflags|beforechangedetail=$before-change-detail|afterchangedetail=$after-change-detail|vsys=$vsys_name|devicename=$device_name

 

System Log Format:

Palo Alto Networks|version=$sender_sw_version|eventid=$eventid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|virtualsystem=$vsys|filename=$object|module=$module|sevnumber=$number-of-severity|severity=$severity|msg=$opaque|sequence=$seqno|flags=$actionflags|vsys=$vsys_name|devicename=$device_name

 

Threat Log Format:

Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|misc=$misc|threatid=$threatid|urlcat=$category|sev=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|subject=$subject|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionID=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentver=$contentver|miscellaneous=$misc

 

Traffic Log Format:

Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|totalbytes=$bytes|dstbytes=$bytes_received|srcbytes=$bytes_sent|totalpackets=$packets|starttime=$start|elapsedtime=$elapsed|urlcat=$category|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|dstpackets=$pkts_received|srcpackets=$pkts_sent|sessionendreason=$session_end_reason|vsys=$vsys_name|devicename=$device_name|actionsource=$action_source|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel

 

HIP Match:

Palo Alto Networks|version=$sender_sw_version|matchname=$matchname|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|srcuser=$srcuser|virtualsystem=$vsys|identhostname=$machinename|os=$os|src=$src|repeatcount=$repeatcnt|hiptype=$matchtype|sequence=$seqno|actflags=$actionflags|vsys=$vsys_name|devicename=$device_name|virtualsystemid=$vsys_id|srcipv6=$srcipv6|devtime=$cef-formatted-time_generated

 

URL Filtering:

Palo Alto Networks|version=$sender_sw_version|threatid=$threatid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|miscellaneous=$misc|urlcategory=$category|sevnumber=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|useragent=$user_agent|identsrc=$xff|referer=$referer|subject=$subject|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentVer=$contentver

Data:

Palo Alto Networks|version=$sender_sw_version|threatid=$threatid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|miscellaneous=$misc|threatid=$threatid|urlcategory=$category|sevnumber=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|subject=$subject|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentver=$contentver

 

Wildfire:

Palo Alto Networks|version=$sender_sw_version|threatid=$threatid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|miscellaneous=$misc|urlcategory=$category|sevnumber=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|filetype=$filetype|sender=$sender|subject=$subject|recipient=$recipient|reportid=$reportid|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentver=$contentver

 

Authentication:

Palo Alto Networks|version=$sender_sw_version|event=$event|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|serverprofile=$serverprofile|logforwardingprofile=$logset|virtualsystem=$vsys|authpolicy=$authpolicy|clienttype=$clienttype|normalizeuser=$normalize_user|objectname=$object|factornumber=$factorno|authenticationid=$authid|src=$ip|repeatcount=$repeatcnt|srcuser=$user|vendor=$vendor|msg=$event|sequence=$seqno|vsys=$vsys_name|devicename=$device_name|additionalauthinfo=$desc|actflags=$actionflags

User-ID:

Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|factortype=$factortype|virtualsystem=$vsys|datasourcename=$datasourcename|datasource=$datasource|datasourcetype=$datasourcetype|factornumber=$factorno|vsysid=$vsys_id|timeoutthreshold=$timeout|src=$ip|srcport=$beginport|dstport=$endport|repeatcount=$repeatcnt|srcuser=$user|sequence=$seqno|eventid=$eventid|factorcompletiontime=$factorcompletiontime|vsys=$vsys_name|devicename=$device_name|actionflags=$actionflags

 

Tunnel Inspection:

Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|sequence=$seqno|actflags=$actionflags|vsys=$vsys_name|devicename=$device_name|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|totalbytes=$bytes|dstbytes=$bytes_received|srcbytes=$bytes_sent|totalpackets=$packets|dstPackets=$pkts_received|srcPackets=$pkts_sent|maximumencapsulation=$max_encap|unknownprotocol=$unknown_proto|strictchecking=$strict_check|tunnelfragment=$tunnel_fragment|sessionscreated=$sessions_created|sessionsclosed=$sessions_closed|sessionendreason=$session_end_reason|actionsource=$action_source|starttime=$start|elapsedtime=$elapsed

 

Correlation:

Palo Alto Networks|category=$category|datetime=$receive_time|serial=$serial|type=$type|severity=$severity|virtualsystem=$vsys|virtualsystemid=$vsys_id|src=$src|srcuser=$srcuser|msg=$evidence|vsys=$vsys_name|devicename=$device_name|objectname=$object_name|objectid=$object_id

 

SCTP:

Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|gentime=$time_generated|src=$src|dst=$dst|virtualsystem=$vsys|srczone=$from|dstzoneone=$to|ininterface=$inbound_if|outinterface=$outbound_if|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|proto=$proto|action=$action|vsys=$vsys_name|devicename=$device_name|sequence=$seqno|associd=$assoc_id|payloadprotoid=$ppid|sevnumber=$num_of_severity|sctpchunktype=$sctp_chunk_type|sctpstreamid=$stream_id|sctpfilter=$sctp_filter|sctpchunks=$chunks

 

IP-Tag:

Palo Alto Networks|version=$sender_sw_version|eventid=$event_id|type=$type|datetime=$receive_time|serial=$serial|subtype=$subtype|generatetime=$time_generated|virtualsystem=$vsys|src=$ip|tagname=$tag_name|eventid=$eventid|repeatcount=$repeatcnt|timeoutthreshold=$timeout|datasourcename=$datasourcename|datasrctype=$datasource_type|datasrcsubtype=$datasource_subtype|sequence=$seqno|actflags=$actionflags|vsys=$vsys_name|devicename=$device_name|virtualsystemid=$vsys_id

 

5- Once you've finished configuring Palo Alto, see how to add a source to the Logsign Unified SecOps Platform

Open Logsign Unified SecOps Platform web interface. Then click on the Settings- Data Collection tab. Click on the "+ Device" button. Because it is a network-based device, you'll receive logs by the Syslog method. Syslog is selected.

In the Vendor section, you will determine the brand information of the device/product that you are adding. Select the Palo Alto. You'll make configurations with the source that you'll add to the opening page.

Ekran_Resmi_2022-05-16_10.26.49.png

Host: IP address information of the Palo Alto product that you want to retrieve the logs.

Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.

Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is set in minutes.

Data Policy: You can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. Our default setting here is the Default Policy, which has the default rule is "collect all logs."

Max Line Length to Process: Each log is generated as a single line. So, the Logsign Unified SecOps Platform takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.

Check Health: If you tick the box, that will inform you about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when the box is ticked. This part is the time interval information to be checked. 

Device Name: You must enter a descriptive name according to the configuration you are making (For ex., PaloFW). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.

Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple FWs and define each tag as palo1 or palo2. If you want to query an event, you will get a shorter result when searching according to palo1 name.

To save the configurations and add source, terminate the operations with the Save button.

 

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.