Device Details

Vendor

Palo Alto

Device Type

Next-Generation Firewall

Supported Model Name/Number

Palo Alto Series Firewall

Supported Software Version(s)

PAN-OS 9.0, PAN-OS 9.1, PAN-OS 10.0, PAN-OS 10.1.

GlobalProtect only supported from version 9.1.3 and later. 

Collection Method

Syslog

Configurable Log Output?

Yes

Log Source Type

Syslog – Palo Alto Firewall

Log Processing Policy

LogRhythm Default v2.0

Exceptions

N/A

Additional Information

https://www.paloaltonetworks.com/documentation

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls.html

https://www.paloaltonetworks.com/network-security/next-generation-firewall

Device Configuration Checklist

Create a Server Profile for the Collecting LogRhythm System Monitor Agent (Syslog Server)

  1. From the Palo Alto Console, select the Device tab.
  2. In the left pane, expand Server Profiles.
  3. Select Syslog.
  4. Click Add and define the name of the profile, such as LR-Agents.

Add Syslog Server (LogRhythm System Monitor) to Server Profile

Use the following configuration information:

  • Name such as LR-AgentName or IP
  • IP Address or Fully Qualified Domain Name of the LogRhythm System Monitor
  • TCP Transport
  • Port 514
  • Format IETF
  • Facility LOG_USER (default)

Configure Syslog Forwarding for Traffic, Threat, and Wildfire Logs

  1. In the left pane of the Objects tab, select Log Forwarding.
  2. Select Add and create a name for the Log Forwarding Profile, such as LR-Syslog.
  3. For each type and severity level, select the Syslog server profile.

Configure Syslog Forwarding for System and Config Logs

  1. In the left pane of the Device tab, select Log Settings.
  2. For each type and severity level, select the Syslog server profile.

Supported Log Messages

This is a list of LR tags used to parse the log information for each message type.

TypeProduct VersionSupported Schema Fields
V 2.0 Authentication Lockout ExpiredAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 Catch All (Palo Alto)All<vmid>, <vendorinfo>
V 2.0 Catch All : General Authentication EventAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 Catch All : General DHCP MessagesAll<vmid>, <vendorinfo>, <severity>, <subject>, <tag1>
V 2.0 Catch-all - System MessagesAll<vmid>, <vendorinfo>, <severity>, <subject>
V 2.0 Configuration MessagesAll<vmid>, <sip>, <command>, <login>, <sessiontype>, <result>, <object>, <tag1>, <tag2>
V 2.0 Correlated Event MessagesAll<vmid>, <sip>, <domainorigin>, <login>, <subject>, <severity>, <threatname>, <threatid>, <reason>
V 2.0 Data/File/Virus/Spyware Threat MessagesAll<vmid>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <object>, <threatname>, <threatid>, <subject>, <severity>, <tag1>, <tag2>, <sender>, <recipient>
V 2.0 Flood/Packet Threat MessagesAll<vmid>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <sinterface>, <dinterface>, <protname>, <action>, <threatname>, <threatid>, <tag1>, <tag2>, <severity>
V 2.0 General Authentication EventAll<vmid>, <severity>, <subject>, <sip>, <sessiontype>, <tag1>, <login>, <vendorinfo>, <tag2>
V 2.0 General Authentication Event (auth)All<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <login>, <reason>, <tag1>
V 2.0 General DHCP MessagesAll<vmid>, <vendorinfo>, <severity>, <dip>, <sip>, <sname>, <tag1>, <smac>, <dinterface>,<smac>,<dinterface>,<subject><dmac>,<dname>
V 2.0 General DNS Signature InformationAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General Dynamic DNS MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General GlobalProtect MessagesAll<vmid>, <vendorinfo>, <severity>, <subject>, <sip>, <dname>, <tag1>, <reason>, <login>
V 2.0 General Logical Link Discovery ProtocolAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General NTPD MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General Path-Based Forwarding MessagesAll<vmid>, <vendorinfo>, <tag1>, <objectname>, <severity>, <subject>
V 2.0 General Port MessageAll<vmid>, <vendorinfo>, <objectname>, <severity>, <dinterface>, <status>, <tag1>, <tag2>
V 2.0 General Remote Access Manager MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General Routing MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General SAML MessageAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>,<result>,<login>,<reason>,<sip>
V 2.0 General Satellite Connection MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General SSL Manager MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General System EventAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General URL-Filtering System MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General User Profile System MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 General VPN Status MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>,<object>, <action>, <sip>, <sport>, <dip>, <dport>
V 2.0 General Wildfire System MessagesAll<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>
V 2.0 GlobalProtect 9.1.3 & Later Status MessagesAll<vmid>, <vendorinfo>, <sip>, <sname>, <snatip>, <login>, <domainorigin>, <process>, <subject>, <serialnumber>, <version>, <action>, <result>, <reason>, <status>, <duration>, <quantity>
V 2.0 GlobalProtect Status MessagesAll<vmid>, <subject>, <status>, <domainorigin>, <login>, <sname>, <sip>, <snatip>, <quantity>, <reason>, <result>, <seconds>
V 2.0 GTP Log MessagesAll<vmid>, <severity>, <vendorinfo>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <subject>, <session>, <object>, <objectname>, <group>, <policy>, <action>, <command>, <tag1>
V 2.0 Host Profile MessagesAll<vmid>, <domainorigin>, <login>, <sname>, <version>, <sip>, <object>, <quantity>, <objecttype>,<smac>
V 2.0 IP Tag MessagesAll<vmid>, <dip>, <subject>, <action>, <quantity>, <object>, <objecttype>
V 2.0 Scan Threat MessagesAll<vmid>, <severity>, <sip>, <dip>, <snatip>, <dnatip>, <sinterface>, <dinterface>, <protname>, <login>, <domainorigin>, <threatname>, <threatid>, <policy>, <action>, <tag1>, <tag2>
V 2.0 SCTP MessagesAll<vmid>, <sip>, <dip>, <policy>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <protname>, <action>, <severity>, <subject>, <reason>, <amount>, <packetsout>, <packetsin>
V 2.0 Traffic MessagesAll<vmid>, <sip>, <dip>, <command>, <object>, <tag1>, <tag2>, <sinterface>, <dinterface>, <sport>, <dport>, <protname>, <action>, <session>, <policy>, <snatip>, <dnatip>, <snatport>, <dnatport>, <login>, <domainorigin>, <subject>, <reason>, <bytes>, <duration>, <packets>, <quantity>
V 2.0 URL Threat MessagesAll<vmid>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <url>, <domainimpacted>, <subject>, <severity>, <useragent>
V 2.0 User ID MessagesAll<vmid>, <subject>, <action>, <quantity>, <severity>, <login>, <domainorigin>, <tag1>
V 2.0 Vulnerability Threat MessagesAll<vmid>, <sip>, <dip>, <command>, <object>, <tag1>, <tag2>, <sinterface>, <dinterface>, <sport>, <dport>, <protname>, <action>, <session>, <policy>, <snatip>, <dnatip>, <snatport>, <dnatport>, <login>, <domainorigin>, <subject>, <quantity>, <sender>, <recipient>, <threatname>, <threatid>, <object>, <objecttype>
V 2.0 Wildfire Threat MessagesAll<vmid>, <sip>, <dip>, <command>, <object>, <tag1>, <tag2>, <sinterface>, <dinterface>, <sport>, <dport>, <protname>, <action>, <session>, <policy>, <snatip>, <dnatip>, <snatport>, <dnatport>, <login>, <domainorigin>, <subject>, <quantity>, <sender>, <recipient>, <threatname>, <threatid>, <object>, <hash>, <tag3>, <objecttype>
V 2.0 Wildfire-Virus Threat MessagesAll<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <snatip>, <dnatip>, <snatport>, <dnatport>, <sinterface>, <dinterface>, <protname>, <login>, <domainorigin>, <subject>, <object>, <session>, <threatname>, <threatid>, <policy>, <action>, <sender>, <recipient>, <quantity>, <tag1>, <tag2>
V 2.0 Decryption Event MessagesAll<vmid>,<sip>,<dip>,<snatip>,<dnatip>,<policy>,<domainorigin>,<login>,<domainimpacted>,<account>,<sinterface>,<dinterface>,<session>,<sport>,<dport>,<snatport>,<dnatport>,<protname>,<action>, <tag1>
V 2.0 General HA MessagesAll<vmid>,<vendorinfo>,<severity>,<subject>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.591.0Syslog – Palo Alto FirewallPolicy: LogRhythm Default v2.0New optimized log processing policy for Syslog – Palo Alto Firewall.