You can be one step ahead in performance and time by forwarding logs generated in Palo Alto Firewall or Integrated Security Device (UTM) products to Logsign Unified SecOps Platform.
Logsign Unified SecOps Platform is fully-integrated to Palo Alto Firewall or Integrated Security Devices.
The product makes the data understandable after configuring their architecture with the high-resolution graphical tables, thanks to its user-friendly WEB interface to system administrators without log loss.
Let's see how you can direct Palo Alto's logs to Logsign Unified SecOps Platform with Leef.
1- Connect to Paloalto web interface and go to Device > Server Profiles > Syslog > Name
2- Click on the relevant routing profile.
3- In the Custom Log Format window, the Log Type you want to direct is selected.
4- In the Config Log Format field, the pattern given below is written in the relevant field completely (by paying attention to the blanks).
Config:
Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|src=$host|virtualsystem=$vsys|msg=$cmd|srcuser=$admin|client=$client|result=$result|path=$path|sequence=$seqno|actflags=$actionflags|beforechangedetail=$before-change-detail|afterchangedetail=$after-change-detail|vsys=$vsys_name|devicename=$device_name
System Log Format:
Palo Alto Networks|version=$sender_sw_version|eventid=$eventid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|virtualsystem=$vsys|filename=$object|module=$module|sevnumber=$number-of-severity|severity=$severity|msg=$opaque|sequence=$seqno|flags=$actionflags|vsys=$vsys_name|devicename=$device_name
Threat Log Format:
Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|misc=$misc|threatid=$threatid|urlcat=$category|sev=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|subject=$subject|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionID=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentver=$contentver|miscellaneous=$misc
Traffic Log Format:
Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|totalbytes=$bytes|dstbytes=$bytes_received|srcbytes=$bytes_sent|totalpackets=$packets|starttime=$start|elapsedtime=$elapsed|urlcat=$category|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|dstpackets=$pkts_received|srcpackets=$pkts_sent|sessionendreason=$session_end_reason|vsys=$vsys_name|devicename=$device_name|actionsource=$action_source|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel
HIP Match:
Palo Alto Networks|version=$sender_sw_version|matchname=$matchname|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|srcuser=$srcuser|virtualsystem=$vsys|identhostname=$machinename|os=$os|src=$src|repeatcount=$repeatcnt|hiptype=$matchtype|sequence=$seqno|actflags=$actionflags|vsys=$vsys_name|devicename=$device_name|virtualsystemid=$vsys_id|srcipv6=$srcipv6|devtime=$cef-formatted-time_generated
URL Filtering:
Palo Alto Networks|version=$sender_sw_version|threatid=$threatid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|miscellaneous=$misc|urlcategory=$category|sevnumber=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|useragent=$user_agent|identsrc=$xff|referer=$referer|subject=$subject|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentVer=$contentver
Data:
Palo Alto Networks|version=$sender_sw_version|threatid=$threatid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|miscellaneous=$misc|threatid=$threatid|urlcategory=$category|sevnumber=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|subject=$subject|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentver=$contentver
Wildfire:
Palo Alto Networks|version=$sender_sw_version|threatid=$threatid|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|miscellaneous=$misc|urlcategory=$category|sevnumber=$number-of-severity|severity=$severity|direction=$direction|sequence=$seqno|actflags=$actionflags|srclocation=$srcloc|dstlocation=$dstloc|contenttype=$contenttype|pcapid=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlindex=$url_idx|reqmethod=$http_method|filetype=$filetype|sender=$sender|subject=$subject|recipient=$recipient|reportid=$reportid|vsys=$vsys_name|devicename=$device_name|srcuuid=$src_uuid|dstuuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|threatcategory=$thr_category|contentver=$contentver
Authentication:
Palo Alto Networks|version=$sender_sw_version|event=$event|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|serverprofile=$serverprofile|logforwardingprofile=$logset|virtualsystem=$vsys|authpolicy=$authpolicy|clienttype=$clienttype|normalizeuser=$normalize_user|objectname=$object|factornumber=$factorno|authenticationid=$authid|src=$ip|repeatcount=$repeatcnt|srcuser=$user|vendor=$vendor|msg=$event|sequence=$seqno|vsys=$vsys_name|devicename=$device_name|additionalauthinfo=$desc|actflags=$actionflags
User-ID:
Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|factortype=$factortype|virtualsystem=$vsys|datasourcename=$datasourcename|datasource=$datasource|datasourcetype=$datasourcetype|factornumber=$factorno|vsysid=$vsys_id|timeoutthreshold=$timeout|src=$ip|srcport=$beginport|dstport=$endport|repeatcount=$repeatcnt|srcuser=$user|sequence=$seqno|eventid=$eventid|factorcompletiontime=$factorcompletiontime|vsys=$vsys_name|devicename=$device_name|actionflags=$actionflags
Tunnel Inspection:
Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|subtype=$subtype|src=$src|dst=$dst|srcnat=$natsrc|dstnat=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|virtualsystem=$vsys|srczone=$from|dstzone=$to|ininterface=$inbound_if|outinterface=$outbound_if|logforwardingprofile=$logset|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|srcnatport=$natsport|dstnatport=$natdport|flags=$flags|proto=$proto|action=$action|sequence=$seqno|actflags=$actionflags|vsys=$vsys_name|devicename=$device_name|tunnelid=$tunnelid|monitortag=$monitortag|parentsessionid=$parent_session_id|parentstarttime=$parent_start_time|tunneltype=$tunnel|totalbytes=$bytes|dstbytes=$bytes_received|srcbytes=$bytes_sent|totalpackets=$packets|dstPackets=$pkts_received|srcPackets=$pkts_sent|maximumencapsulation=$max_encap|unknownprotocol=$unknown_proto|strictchecking=$strict_check|tunnelfragment=$tunnel_fragment|sessionscreated=$sessions_created|sessionsclosed=$sessions_closed|sessionendreason=$session_end_reason|actionsource=$action_source|starttime=$start|elapsedtime=$elapsed
Correlation:
Palo Alto Networks|category=$category|datetime=$receive_time|serial=$serial|type=$type|severity=$severity|virtualsystem=$vsys|virtualsystemid=$vsys_id|src=$src|srcuser=$srcuser|msg=$evidence|vsys=$vsys_name|devicename=$device_name|objectname=$object_name|objectid=$object_id
SCTP:
Palo Alto Networks|version=$sender_sw_version|datetime=$receive_time|serial=$serial|type=$type|gentime=$time_generated|src=$src|dst=$dst|virtualsystem=$vsys|srczone=$from|dstzoneone=$to|ininterface=$inbound_if|outinterface=$outbound_if|sessionid=$sessionid|repeatcount=$repeatcnt|srcport=$sport|dstport=$dport|proto=$proto|action=$action|vsys=$vsys_name|devicename=$device_name|sequence=$seqno|associd=$assoc_id|payloadprotoid=$ppid|sevnumber=$num_of_severity|sctpchunktype=$sctp_chunk_type|sctpstreamid=$stream_id|sctpfilter=$sctp_filter|sctpchunks=$chunks
IP-Tag:
Palo Alto Networks|version=$sender_sw_version|eventid=$event_id|type=$type|datetime=$receive_time|serial=$serial|subtype=$subtype|generatetime=$time_generated|virtualsystem=$vsys|src=$ip|tagname=$tag_name|eventid=$eventid|repeatcount=$repeatcnt|timeoutthreshold=$timeout|datasourcename=$datasourcename|datasrctype=$datasource_type|datasrcsubtype=$datasource_subtype|sequence=$seqno|actflags=$actionflags|vsys=$vsys_name|devicename=$device_name|virtualsystemid=$vsys_id
5- Once you've finished configuring Palo Alto, see how to add a source to the Logsign Unified SecOps Platform
Open Logsign Unified SecOps Platform web interface. Then click on the Settings- Data Collection tab. Click on the "+ Device" button. Because it is a network-based device, you'll receive logs by the Syslog method. Syslog is selected.
In the Vendor section, you will determine the brand information of the device/product that you are adding. Select the Palo Alto. You'll make configurations with the source that you'll add to the opening page.
Host: IP address information of the Palo Alto product that you want to retrieve the logs.
Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.
Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is set in minutes.
Data Policy: You can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. Our default setting here is the Default Policy, which has the default rule is "collect all logs."
Max Line Length to Process: Each log is generated as a single line. So, the Logsign Unified SecOps Platform takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.
Check Health: If you tick the box, that will inform you about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when the box is ticked. This part is the time interval information to be checked.
Device Name: You must enter a descriptive name according to the configuration you are making (For ex., PaloFW). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple FWs and define each tag as palo1 or palo2. If you want to query an event, you will get a shorter result when searching according to palo1 name.
To save the configurations and add source, terminate the operations with the Save button.