Syslog - Palo Alto Firewall
Device Details
Vendor | Palo Alto |
---|---|
Device Type | Next-Generation Firewall |
Supported Model Name/Number | Palo Alto Series Firewall |
Supported Software Version(s) | PAN-OS 9.0, PAN-OS 9.1, PAN-OS 10.0, PAN-OS 10.1. GlobalProtect is only supported from version 9.1.3 and later. |
Collection Method | Syslog |
Configurable Log Output? | Yes |
Log Source Type | Syslog – Palo Alto Firewall |
Log Processing Policy | LogRhythm Default v2.0 |
Exceptions | N/A |
Additional Information | https://www.paloaltonetworks.com/documentation https://www.paloaltonetworks.com/network-security/next-generation-firewall |
Device Configuration Checklist
Create a Server Profile for the Collecting LogRhythm System Monitor Agent (Syslog Server)
From the Palo Alto Console, select the Device tab.
In the left pane, expand Server Profiles.
Select Syslog.
Click Add and define the name of the profile, such as LR-Agents.
Add Syslog Server (LogRhythm System Monitor) to Server Profile
Use the following configuration information:
Name such as LR-AgentName or IP
IP Address or Fully Qualified Domain Name of the LogRhythm System Monitor
UDP or TCP Transport (dependent on the Palo Alto Firewall settings)
Port 514
Format IETF
Facility LOG_USER (default)
Configure Syslog Forwarding for Traffic, Threat, and Wildfire Logs
In the left pane of the Objects tab, select Log Forwarding.
Select Add and create a name for the Log Forwarding Profile, such as LR-Syslog.
For each type and severity level, select the Syslog server profile.
Configure Syslog Forwarding for System and Config Logs
In the left pane of the Device tab, select Log Settings.
For each type and severity level, select the Syslog server profile.
Supported Log Messages
This is a list of LR tags used to parse the log information for each message type.
Type | Product Version | Supported Schema Fields |
---|---|---|
V 2.0 Authentication Lockout Expired | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
V 2.0 Authentication Messages | All | <vmid>, <vendorinfo>, <sip>, <login>, <object>, <policy>, <quantity>, <action>, <subject>, <result>, <objectname>, <protname>, <sname>, <smac>, <useragent>, <session> |
V 2.0 Catch All (Palo Alto) | All | <vmid>, <vendorinfo> |
V 2.0 Catch All: General Authentication Event | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
V 2.0 Catch All: General DHCP Messages | All | <vmid>, <vendorinfo>, <severity>, <subject>, <tag1> |
V 2.0 Catch All: System Messages | All | <vmid>, <vendorinfo>, <severity>, <subject>, <objectname> |
V 2.0 Configuration Messages | All | <vmid>, <vendorinfo>, <sip>, <command>, <tag1>, <login>, <sessiontype>, <result>, <tag2>, <object>, <objectname> |
V 2.0 Correlated Event Messages | All | <vmid>, <vendorinfo>, <sip>, <domainorigin>, <login>, <subject>, <severity>, <objectname>, <threatname>, <threatid>, <reason> |
V 2.0 Data/File/Virus/Spyware Threat Messages | All | <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag2>, <object>, <threatname>, <threatid>, <subject>, <severity>, <sender>, <recipient>, <objectname>, <group> |
V 2.0 Decryption Event Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <objectname>, <group> |
V 2.0 Flood/Packet Threat Messages | All | <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <sinterface>, <dinterface>, <protname>, <action>, <tag2>, <threatname>, <threatid>, <severity>, <objectname>, <group> |
V 2.0 General Authentication Event | All | <vmid>, <severity>, <subject>, <sip>, <sessiontype>, <tag1>, <login>, <vendorinfo>, <tag2> |
V 2.0 General Authentication Event (auth) | All | <vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <login>, <reason>, <tag1> |
V 2.0 General DHCP Messages | All | <vmid>, <vendorinfo>, <action>, <tag1>, <severity>, <subject>, <sip>, <smac>, <sname>, <dinterface>, <dip>, <objectname> |
V 2.0 General DNS Signature Information | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General Dynamic DNS Messages | All | <vmid>, <vendorinfo>, <action>, <severity>, <subject>, <objectname> |
V 2.0 General GlobalProtect Messages | All | <vmid>, <vendorinfo>, <action>, <tag1>, <object>, <severity>, <subject>, <sip>, <login>, <reason>, <objectname> |
V 2.0 General HA Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General Logical Link Discovery Protocol | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General Monitoring Events | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General NTPD Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General Path-Based Forwarding Messages | All | <vmid>, <vendorinfo>, <action>, <tag1>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General Port Message | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <dinterface>, <status>, <tag1>, <objectname> |
V 2.0 General Remote Access Manager Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General Routing Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General SAML Message | All | <vmid>, <vendorinfo>, <result>, <tag1>, <object>, <severity>, <subject>, <login>, <sip>, <reason>, <objectname> |
V 2.0 General Satellite Connection Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General SSL Manager Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General System Event | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General URL-Filtering System Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 General User Profile System Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <dip>, <dport>, <dname>, <sip>, <status>, <quantity>, <objectname> |
V 2.0 General VPN Status Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <sip>, <sport>, <dip>, <dport>, <objectname> |
V 2.0 General Wildfire System Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 GlobalProtect 9.1.3 & Later Status Messages | All | <vmid>, <vendorinfo>, <sip>, <sname>, <snatip>, <login>, <domainorigin>, <process>, <subject>, <serialnumber>, <version>, <action>, <result>, <reason>, <status>, <duration>, <quantity> |
V 2.0 GlobalProtect Status Messages | All | <vmid>, <vendorinfo>, <action>, <status>, <tag1>, <domainorigin>, <login>, <sname>, <sip>, <snatip>, <serialnumber>, <version>, <quantity>, <reason>, <responsecode>, <subject>, <result>, <tag2>, <seconds>, <objectname> |
V 2.0 GTP Log Messages | All | <vmid>, <severity>, <vendorinfo>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <subject>, <session>, <object>, <objectname>, <group>, <policy>, <action>, <command>, <tag1> |
V 2.0 Host Profile Messages | All | <vmid>, <vendorinfo>, <domainorigin>, <login>, <sname>, <sip>, <object>, <quantity>, <objecttype>, <objectname>, <serialnumber>, <smac> |
V 2.0 IP Tag Messages | All | <vmid>, <vendorinfo>, <dip>, <subject>, <action>, <quantity>, <object>, <objecttype>, <objectname> |
V 2.0 Scan Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <threatname>, <threatid>, <severity>, <objectname>, <group> |
V 2.0 SCTP Messages | All | <vmid>, <sip>, <dip>, <policy>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <protname>, <action>, <tag1>, <objectname>, <severity>, <subject>, <reason>, <packetsout>, <packetsin> |
V 2.0 Traffic Messages | All | <severity>, <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <object>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag2>, <bytesin>, <bytesout>, <seconds>, <subject>, <packetsin>, <packetsout>, <reason>, <objecttype>, <objectname>, <group> |
V 2.0 URL Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <sessiontype>, <protname>, <action>, <tag1>, <url>, <subject>, <severity>, <useragent>, <objectname>, <group> |
V 2.0 User ID Messages | All | <vmid>, <action>, <tag1>, <sip>, <domainorigin>, <login>, <quantity>, <subject>, <objectname> |
V 2.0 Vulnerability Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <subject>, <severity>, <objectname>, <group> |
V 2.0 Wildfire Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <result>, <tag2>, <severity>, <hash>, <objecttype>, <sender>, <subject>, <recipient>, <objectname>, <group> |
V 2.0 Wildfire-Virus Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <severity>, <sender>, <subject>, <recipient>, <objectname>, <group> |
V 2.0 General SDWAN Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
V 2.0 Threat ML-Virus Messages | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <severity>, <sender>, <subject>, <recipient>, <objectname>, <group> |
Revision History
KB Version | Log Type | Change Type | Details |
---|---|---|---|
KB 7.1.591.0 | Syslog – Palo Alto Firewall | Policy: LogRhythm Default v2.0 | A new optimized log processing policy for Syslog – Palo Alto Firewall. |