Skip to main content

Syslog - Palo Alto Firewall

Tony Black
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslog
ENVIRONMENT: Palo Alto
SUMMARY: Configuration Guide for Palo Alto firewalls

Vendor Information

Device Configuration Checklist

Example Log Messages

 

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Firewall guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

 

Vendor Information

Vendor Palo Alto Networks
Supported Model Name/Number Next-Generation Firewall
Supported Software Version(s) PAN-OS 10.1, PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1
Collection Method Syslog
Provider Name Syslog-PaloAlto
Additional Information

PanOS 10.1 - Configure Syslog Monitoring
Note: Please select the appropriate version for relevant documentation from the left hand navigation bar dropdown.

Syslog Field Descriptions

Tips & Tricks: Configure Syslog Forwarding

Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.

Please note the link in the Vendor Links above to the latest documentation at the time of this writing.

Device Configuration Checklist

  1. Configure a Syslog server profile
    1. From the Palo Alto Console, select Device > Server Profiles > Syslog
    2. Click Add and enter a Name for the profile. For example, Huntress-SIEM.
  2. Add a Syslog Server (Huntress Agent) to the Server Profile
    1. In the Syslog Server Profile click Add and provide the following information:
      1. Name - Name or IP of Huntress Agent host
      2. Syslog Server - Internal IP or FQDN of the Huntress Agent
      3. Transport - UDP  (please note that Huntress SIEM is not compatible with SSL (TLS) or encrypted syslogs.
      4. Port - 514
      5. Format - IETF
      6. Facility - LOG_USER (default)
    2. Click OK to save the server profile
  3. Configure syslog forwarding for Traffic, Threat, Wildfire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
    1. Create the Syslog Forwarding Profile
      1. From the Palo Alto Console, select Objects > Log Forwarding
      2. Click Add and enter a Name for the Log Forwarding Profile.
        1. If it is desired that this profile be assigned to all new security rules and zones, enter “default”. If this is not desired or you don’t want to override the default profile, enter a unique name.
      3. For each Severity and Wildfire Verdict select the Syslog Server Profile created above in the Syslog column
      4. Click OK
    2. Assign the Syslog Forwarding Profile to the Security Policy
      1. From the Palo Alto Console, select Policies > Security
      2. For each rule in the Security Policy do the following:
        1. Click on the rule name
        2. Go to the Actions tab
        3. Check the box for “Log at Session End”
        4. Under Log Setting and Log Forwarding, choose the Syslog Forwarding Profile created above
  4. Configure syslog forwarding for System, Configuration, Correlation, GlobalProtect, HIP Match, and User-ID logs.
    1. From the Palo Alto Console, select Device > Log Settings
    2. For System and Correlation logs, click each Severity level, select the Syslog Server Profile created above, and click OK.
    3. For Config, HIP Match, and Correlation logs, edit the section, select the Syslog Server Profile created above, and click OK.
  5. Commit changes.
    1. Click Commit to push config changes. 

 

Example Log Messages

 

Traffic Log Message

<14>1 2021-11-30T15:54:05-05:00 logsourcehost appname - - - 1,2021/10/13 05:47:22,123456789,TRAFFIC,deny,2561,2021/10/13 05:47:22,10.0.0.2,10.0.0.3,10.0.0.4,10.0.0.5,OS Blocked Apps,,,slack-base,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Syslog forwarding,2021/10/13 05:47:22,12251,1,62883,443,25341,443,0x404400,tcp,reset-both,763,697,66,4,2021/10/13 05:47:20,1,internet-communications-and-telephony,,7017083028182608905,0x0,10.0.0.0-10.255.255.255,United Kingdom,,3,1,policy-deny,0,0,0,0,,FW1,from-application,,,0,,0,,N/A,0,0,0,0,36ba66bd-fef3-44fe-82b6-a817547e4c1d,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-10-13T05:47:22.926+01:00,,,instant-messaging,saas,browser-based,2,"able-to-transfer-file,has-known-vulnerability,is-saas,is-hipaa,is-soc2,is-ip-based-restrictions",slack,slack-base,yes,no,0

 

Threat URL Log Message

<14>1 2021-11-30T15:54:05-05:00 logsourcehost appname - - - 1,2021/10/13 05:51:20,123456789,THREAT,url,2561,2021/10/13 05:51:20,10.0.0.2,10.0.0.3,10.0.0.4,10.0.0.5,Server to Internet - Approved apps,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Syslog forwarding,2021/10/13 05:51:20,70928,1,52551,80,18355,80,0x40f000,tcp,alert,"www.roke.co.uk/pki/Commercial%20CA(8).crt/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSzwE/DuL2Vw2iz2XiE0TpwhE0P2QQUQgcVZG9M1QoENJLj7xfC8euUQ8sCExkAAem7YxFZv0YZM0wACAAB6bs=",(9999),business-and-economy,informational,client-to-server,7017083032376914159,0x0,10.0.0.0-10.255.255.255,United Kingdom,,text/html,0,,,1,,,,,,,,0,0,0,0,0,,FW1,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"business-and-economy,low-risk",d0f0b050-1baf-43db-881e-082cb377b223,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2021-10-13T05:51:20.491+01:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no

Related articles