Syslog - Palo Alto Firewall
Device Details
Vendor | Palo Alto |
|---|---|
Device Type | Next-Generation Firewall |
Supported Model Name/Number | Palo Alto Series Firewall |
Supported Software Version(s) | PAN-OS 9.0, PAN-OS 9.1, PAN-OS 10.0, PAN-OS 10.1. GlobalProtect only supported from version 9.1.3 and later. |
Collection Method | Syslog |
Configurable Log Output? | Yes |
Log Source Type | Syslog – Palo Alto Firewall |
Log Processing Policy | LogRhythm Default v2.0 |
Exceptions | N/A |
Additional Information | https://www.paloaltonetworks.com/documentation https://www.paloaltonetworks.com/network-security/next-generation-firewall |
Device Configuration Checklist
Create a Server Profile for the Collecting LogRhythm System Monitor Agent (Syslog Server)
- From the Palo Alto Console, select the Device tab.
- In the left pane, expand Server Profiles.
- Select Syslog.
- Click Add and define the name of the profile, such as LR-Agents.
Add Syslog Server (LogRhythm System Monitor) to Server Profile
Use the following configuration information:
- Name such as LR-AgentName or IP
- IP Address or Fully Qualified Domain Name of the LogRhythm System Monitor
- UDP or TCP Transport (dependent on the Palo Alto Firewall settings)
- Port 514
- Format IETF
- Facility LOG_USER (default)
Configure Syslog Forwarding for Traffic, Threat, and Wildfire Logs
- In the left pane of the Objects tab, select Log Forwarding.
- Select Add and create a name for the Log Forwarding Profile, such as LR-Syslog.
- For each type and severity level, select the Syslog server profile.
Configure Syslog Forwarding for System and Config Logs
- In the left pane of the Device tab, select Log Settings.
- For each type and severity level, select the Syslog server profile.
Supported Log Messages
This is a list of LR tags used to parse the log information for each message type.
| Type | Product Version | Supported Schema Fields |
|---|---|---|
| V 2.0 Authentication Lockout Expired | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 Authentication Messages | All | <vmid>, <vendorinfo>, <sip>, <login>, <object>, <policy>, <quantity>, <action>, <subject>, <result>, <protname>, <sname>, <smac>, <useragent>, <session> |
| V 2.0 Catch All (Palo Alto) | All | <vmid>, <vendorinfo> |
| V 2.0 Catch All : General Authentication Event | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 Catch All : General DHCP Messages | All | <vmid>, <vendorinfo>, <severity>, <subject>, <tag1> |
| V 2.0 Catch-all - System Messages | All | <vmid>, <vendorinfo>, <severity>, <subject> |
| V 2.0 Configuration Messages | All | <vmid>, <sip>, <command>, <login>, <sessiontype>, <result>, <object>, <tag1>, <tag2> |
| V 2.0 Correlated Event Messages | All | <vmid>, <sip>, <domainorigin>, <login>, <subject>, <severity>, <threatname>, <threatid>, <reason> |
| V 2.0 Data/File/Virus/Spyware Threat Messages | All | <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag2>, <object>, <threatname>, <threatid>, <subject>, <severity>, <sender>, <recipient>, <objectname> |
| V 2.0 Decryption Event Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <objectname> |
| V 2.0 Flood/Packet Threat Messages | All | <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <sinterface>, <dinterface>, <protname>, <action>, <tag2>, <threatname>, <threatid>, <severity>, <objectname> |
| V 2.0 General Authentication Event | All | <vmid>, <severity>, <subject>, <sip>, <sessiontype>, <tag1>, <login>, <vendorinfo>, <tag2> |
| V 2.0 General Authentication Event (auth) | All | <vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <login>, <reason>, <tag1> |
| V 2.0 General DHCP Messages | All | <vmid>, <vendorinfo>, <action>, <tag1>, <severity>, <subject>, <sip>, <smac>, <sname>, <dinterface>, <dip> |
| V 2.0 General DNS Signature Information | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General Dynamic DNS Messages | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General GlobalProtect Messages | All | <vmid>, <vendorinfo>, <severity>, <subject>, <sip>, <dname>, <tag1>, <reason>, <login> |
| V 2.0 General HA Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject> |
| V 2.0 General Logical Link Discovery Protocol | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General Monitoring Events | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject> |
| V 2.0 General NTPD Messages | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General Path-Based Forwarding Messages | All | <vmid>, <vendorinfo>, <tag1>, <objectname>, <severity>, <subject> |
| V 2.0 General Port Message | All | <vmid>, <vendorinfo>, <objectname>, <severity>, <dinterface>, <status>, <tag1>, <tag2> |
| V 2.0 General Remote Access Manager Messages | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General Routing Messages | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General SAML Message | All | <vmid>, <vendorinfo>, <result>, <tag1>, <object>, <severity>, <subject>, <login>, <reason>, <sip> |
| V 2.0 General Satellite Connection Messages | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General SSL Manager Messages | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 General System Event | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject> |
| V 2.0 General URL-Filtering System Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject> |
| V 2.0 General User Profile System Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <dip>, <dport>, <dname>, <sip>, <status>, <quantity> |
| V 2.0 General VPN Status Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <sip>, <sport>, <dip>, <dport> |
| V 2.0 General Wildfire System Messages | All | <vmid>, <vendorinfo>, <tag1>, <severity>, <subject> |
| V 2.0 GlobalProtect 9.1.3 & Later Status Messages | All | <vmid>, <vendorinfo>, <sip>, <sname>, <snatip>, <login>, <domainorigin>, <process>, <subject>, <serialnumber>, <version>, <action>, <result>, <reason>, <status>, <duration>, <quantity> |
| V 2.0 GlobalProtect Status Messages | All | <vmid>, <subject>, <status>, <domainorigin>, <login>, <sname>, <sip>, <snatip>, <quantity>, <reason>, <result>, <seconds> |
| V 2.0 GTP Log Messages | All | <vmid>, <severity>, <vendorinfo>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <subject>, <session>, <object>, <objectname>, <group>, <policy>, <action>, <command>, <tag1> |
| V 2.0 Host Profile Messages | All | <vmid>, <domainorigin>, <login>, <sname>, <version>, <sip>, <object>, <quantity>, <objecttype>, <smac> |
| V 2.0 IP Tag Messages | All | <vmid>, <dip>, <subject>, <action>, <quantity>, <object>, <objecttype> |
| V 2.0 Scan Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <threatname>, <threatid>, <severity>, <objectname> |
| V 2.0 SCTP Messages | All | <vmid>, <sip>, <dip>, <policy>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <protname>, <action>, <severity>, <subject>, <reason>, <amount>, <packetsout>, <packetsin> |
| V 2.0 Traffic Messages | All | <severity>, <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <object>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <bytesin>, <bytesout>, <seconds>, <subject>, <packetsin>, <packetsout>, <reason>, <objecttype>, <objectname> |
| V 2.0 URL Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>,<sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <sessiontype>, <protname>, <action>, <tag1>, <url>, <subject>, <severity>, <useragent>, <objectname> |
| V 2.0 User ID Messages | All | <vmid>, <subject>, <action>, <quantity>, <severity>, <login>, <domainorigin>, <tag1> |
| V 2.0 Vulnerability Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <subject>, <severity>, <objectname> |
| V 2.0 Wildfire Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <result>, <tag2>, <severity>, <hash>, <objecttype>, <sender>, <subject>, <recipient>, <objectname> |
| V 2.0 Wildfire-Virus Threat Messages | All | <vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <severity>, <sender>, <subject>, <recipient>, <objectname> |
| V 2.0 General SDWAN Messages | All | <vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.591.0 | Syslog – Palo Alto Firewall | Policy: LogRhythm Default v2.0 | New optimized log processing policy for Syslog – Palo Alto Firewall. |