Device Details
|
Vendor |
Palo Alto |
|---|---|
|
Device Type |
Next-Generation Firewall |
|
Supported Model Name/Number |
Palo Alto Series Firewall |
|
Supported Software Version(s) |
PAN-OS 9.0, PAN-OS 9.1, PAN-OS 10.0, PAN-OS 10.1. GlobalProtect is only supported from version 9.1.3 and later. |
|
Collection Method |
Syslog |
|
Configurable Log Output? |
Yes |
|
Log Source Type |
Syslog – Palo Alto Firewall |
|
Log Processing Policy |
LogRhythm Default v2.0 |
|
Exceptions |
N/A |
|
Additional Information |
https://www.paloaltonetworks.com/documentation https://www.paloaltonetworks.com/network-security/next-generation-firewall |
Device Configuration Checklist
Create a Server Profile for the Collecting LogRhythm System Monitor Agent (Syslog Server)
-
From the Palo Alto Console, select the Device tab.
-
In the left pane, expand Server Profiles.
-
Select Syslog.
-
Click Add and define the name of the profile, such as LR-Agents.
Add Syslog Server (LogRhythm System Monitor) to Server Profile
Use the following configuration information:
-
Name such as LR-AgentName or IP
-
IP Address or Fully Qualified Domain Name of the LogRhythm System Monitor
-
UDP or TCP Transport (dependent on the Palo Alto Firewall settings)
-
Port 514
-
Format IETF
-
Facility LOG_USER (default)
Configure Syslog Forwarding for Traffic, Threat, and Wildfire Logs
-
In the left pane of the Objects tab, select Log Forwarding.
-
Select Add and create a name for the Log Forwarding Profile, such as LR-Syslog.
-
For each type and severity level, select the Syslog server profile.
Configure Syslog Forwarding for System and Config Logs
-
In the left pane of the Device tab, select Log Settings.
-
For each type and severity level, select the Syslog server profile.
Supported Log Messages
This is a list of LR tags used to parse the log information for each message type.
|
Type |
Product Version |
Supported Schema Fields |
|---|---|---|
|
V 2.0 Authentication Lockout Expired |
All |
<vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
|
V 2.0 Authentication Messages |
All |
<vmid>, <vendorinfo>, <sip>, <login>, <object>, <policy>, <quantity>, <action>, <subject>, <result>, <objectname>, <protname>, <sname>, <smac>, <useragent>, <session> |
|
V 2.0 Catch All (Palo Alto) |
All |
<vmid>, <vendorinfo> |
|
V 2.0 Catch All: General Authentication Event |
All |
<vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
|
V 2.0 Catch All: General DHCP Messages |
All |
<vmid>, <vendorinfo>, <severity>, <subject>, <tag1> |
|
V 2.0 Catch All: System Messages |
All |
<vmid>, <vendorinfo>, <severity>, <subject>, <objectname> |
|
V 2.0 Configuration Messages |
All |
<vmid>, <vendorinfo>, <sip>, <command>, <tag1>, <login>, <sessiontype>, <result>, <tag2>, <object>, <objectname> |
|
V 2.0 Correlated Event Messages |
All |
<vmid>, <vendorinfo>, <sip>, <domainorigin>, <login>, <subject>, <severity>, <objectname>, <threatname>, <threatid>, <reason> |
|
V 2.0 Data/File/Virus/Spyware Threat Messages |
All |
<vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag2>, <object>, <threatname>, <threatid>, <subject>, <severity>, <sender>, <recipient>, <objectname>, <group> |
|
V 2.0 Decryption Event Messages |
All |
<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <objectname>, <group> |
|
V 2.0 Flood/Packet Threat Messages |
All |
<vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <sinterface>, <dinterface>, <protname>, <action>, <tag2>, <threatname>, <threatid>, <severity>, <objectname>, <group> |
|
V 2.0 General Authentication Event |
All |
<vmid>, <severity>, <subject>, <sip>, <sessiontype>, <tag1>, <login>, <vendorinfo>, <tag2> |
|
V 2.0 General Authentication Event (auth) |
All |
<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <login>, <reason>, <tag1> |
|
V 2.0 General DHCP Messages |
All |
<vmid>, <vendorinfo>, <action>, <tag1>, <severity>, <subject>, <sip>, <smac>, <sname>, <dinterface>, <dip>, <objectname> |
|
V 2.0 General DNS Signature Information |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General Dynamic DNS Messages |
All |
<vmid>, <vendorinfo>, <action>, <severity>, <subject>, <objectname> |
|
V 2.0 General GlobalProtect Messages |
All |
<vmid>, <vendorinfo>, <action>, <tag1>, <object>, <severity>, <subject>, <sip>, <login>, <reason>, <objectname> |
|
V 2.0 General HA Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General Logical Link Discovery Protocol |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General Monitoring Events |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General NTPD Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General Path-Based Forwarding Messages |
All |
<vmid>, <vendorinfo>, <action>, <tag1>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General Port Message |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <dinterface>, <status>, <tag1>, <objectname> |
|
V 2.0 General Remote Access Manager Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General Routing Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General SAML Message |
All |
<vmid>, <vendorinfo>, <result>, <tag1>, <object>, <severity>, <subject>, <login>, <sip>, <reason>, <objectname> |
|
V 2.0 General Satellite Connection Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General SSL Manager Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General System Event |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General URL-Filtering System Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 General User Profile System Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <dip>, <dport>, <dname>, <sip>, <status>, <quantity>, <objectname> |
|
V 2.0 General VPN Status Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <sip>, <sport>, <dip>, <dport>, <objectname> |
|
V 2.0 General Wildfire System Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 GlobalProtect 9.1.3 & Later Status Messages |
All |
<vmid>, <vendorinfo>, <sip>, <sname>, <snatip>, <login>, <domainorigin>, <process>, <subject>, <serialnumber>, <version>, <action>, <result>, <reason>, <status>, <duration>, <quantity> |
|
V 2.0 GlobalProtect Status Messages |
All |
<vmid>, <vendorinfo>, <action>, <status>, <tag1>, <domainorigin>, <login>, <sname>, <sip>, <snatip>, <serialnumber>, <version>, <quantity>, <reason>, <responsecode>, <subject>, <result>, <tag2>, <seconds>, <objectname> |
|
V 2.0 GTP Log Messages |
All |
<vmid>, <severity>, <vendorinfo>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <subject>, <session>, <object>, <objectname>, <group>, <policy>, <action>, <command>, <tag1> |
|
V 2.0 Host Profile Messages |
All |
<vmid>, <vendorinfo>, <domainorigin>, <login>, <sname>, <sip>, <object>, <quantity>, <objecttype>, <objectname>, <serialnumber>, <smac> |
|
V 2.0 IP Tag Messages |
All |
<vmid>, <vendorinfo>, <dip>, <subject>, <action>, <quantity>, <object>, <objecttype>, <objectname> |
|
V 2.0 Scan Threat Messages |
All |
<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <threatname>, <threatid>, <severity>, <objectname>, <group> |
|
V 2.0 SCTP Messages |
All |
<vmid>, <sip>, <dip>, <policy>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <protname>, <action>, <tag1>, <objectname>, <severity>, <subject>, <reason>, <packetsout>, <packetsin> |
|
V 2.0 Traffic Messages |
All |
<severity>, <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <object>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag2>, <bytesin>, <bytesout>, <seconds>, <subject>, <packetsin>, <packetsout>, <reason>, <objecttype>, <objectname>, <group> |
|
V 2.0 URL Threat Messages |
All |
<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <sessiontype>, <protname>, <action>, <tag1>, <url>, <subject>, <severity>, <useragent>, <objectname>, <group> |
|
V 2.0 User ID Messages |
All |
<vmid>, <action>, <tag1>, <sip>, <domainorigin>, <login>, <quantity>, <subject>, <objectname> |
|
V 2.0 Vulnerability Threat Messages |
All |
<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <subject>, <severity>, <objectname>, <group> |
|
V 2.0 Wildfire Threat Messages |
All |
<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <result>, <tag2>, <severity>, <hash>, <objecttype>, <sender>, <subject>, <recipient>, <objectname>, <group> |
|
V 2.0 Wildfire-Virus Threat Messages |
All |
<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <severity>, <sender>, <subject>, <recipient>, <objectname>, <group> |
|
V 2.0 General SDWAN Messages |
All |
<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname> |
|
V 2.0 Threat ML-Virus Messages |
|
<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <severity>, <sender>, <subject>, <recipient>, <objectname>, <group> |
Revision History
|
KB Version |
Log Type |
Change Type |
Details |
|---|---|---|---|
|
KB 7.1.591.0 |
Syslog – Palo Alto Firewall |
Policy: LogRhythm Default v2.0 |
A new optimized log processing policy for Syslog – Palo Alto Firewall. |