Palo Alto
Integration of Palo Alto's Configuration and System logs into XpoLog.
Prerequisites:
A. Open the relevant ports (TCP\UDP) on the XpoLog machine.
B. Create a syslog listener on the listeners tab in XpoLog that will listen and collect the log from the Palo Alto machine.
Palo Alto Configurations:
1. Open the relevant port on the Palo Alto Machine:
I. Login to the GUI of the Palo Alto machine, and then enter to Objects->Services->Add.
II. During the creation of the service, you have to determine the name for the service, the format\protocol in which the service will send the data (ie TCP or UDP), source port and the destination port (which you have already configured in XpoLog’s listener).
2. Create new syslog device which will send the system and configuration logs into XpoLog:
I. From the GUI of the Palo Alto, enter to Devices->Server Profiles->Syslog->Add.
II. During the creation of the device, you have to determine the name for the syslog server profile, and also to configure the values for the following fields.
- Name—Unique name for the server profile.
- Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server (in case that DNS server was configured)
- Transport—Select TCP, UDP, or SSL (TLS) as the protocol for communicating with the syslog server. For SSL, the firewall supports only TLSv1.2.
- Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
- Format—Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL/TLS.
- Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
3. Configure the 'Log Settings' for your System and Configuration logs:
I. From the GUI of your Palo Alto, enter to Devices->Log Settings, and add new log setting under the relevant tab (system\configuration).
II. Please grant a name for the log setting and under the 'syslog\ tab, choose the syslog devices that you have already configured in section 2 and add them.
4. Create a 'Log Forwarder' for your logs.
I. From the GUI of the Palo Alto, enter to ObjectsàLog ForwardingàAdd.
II. Name the log forwarder. Then from the syslog tab, choose the devices that you have already configured in section 2 and add them.
5. Commit all these configuration changes - from the top left part of the GUI, press on the ‘commit’ button in order that the configuration changes will take effect.
XpoLog Configurations (edit the syslog logs that were generated for the Palo Alto machine):
System Log -
I. For the syslog of the system log, set the logTypes of the syslog to ‘syslog,paloalto,system,audit’.
II. Apply the following patterns on the log (default patterns):
First Pattern:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{text:Device} {text:Domain,ftype=domain;,},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#},{text:Type,ftype=eventSource;,},{text:Threat/Content Type},{text:Config Version},{text:Generate time},{text:Virtual System},{text:Event ID,ftype=eventName;,},{text:Object},{text:fmt},{text:id},{text:module,ftype=module;,},{priority:Severity,ftype=status;,},"{text:Description,ftype=message;,}",{text:Sequence Number},{text:Action Flags},{text:dg_hier_level_1},{text:dg_hier_level_2},{text:dg_hier_level_3},{text:dg_hier_level_4},{text:Virtual System Name},{text:Device Name}{regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*}{regexp:Source,ftype=sourceip;refName=Description;,(From: |from )[XPLG_PARAM(\d+\.\d+\.\d+\.\d+)]}{regexp:Logout,ftype=logout;refName=Description,logged out}
Second Pattern:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{text:Device} {text:Domain,ftype=domain;,},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#},{text:Type,ftype=eventSource;,},{text:Threat/Content Type},{text:Config Version},{text:Generate time},{text:Virtual System},{text:Event ID,ftype=eventName;,},{text:Object},{text:fmt},{text:id},{text:module,ftype=module;,},{priority:Severity,ftype=status;,},{text:Description,ftype=message;,},{text:Sequence Number},{text:Action Flags},{text:dg_hier_level_1},{text:dg_hier_level_2},{text:dg_hier_level_3},{text:dg_hier_level_4},{text:Virtual System Name},{text:Device Name}{regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*}{regexp:Source,ftype=sourceip;refName=Description;,(From: |from )[XPLG_PARAM(\d+\.\d+\.\d+\.\d+)]}{regexp:Logout,ftype=logout;refName=Description,logged out}
Configuration Log -
I. For the syslog of the configuration log, set the logTypes of this log to 'syslog,paloalto,configuration.audit'.
II. Apply the following pattern on the log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{text:Device} {text:Domain,ftype=domain},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#},{text:Type,ftype=eventSource},{text:Thread/Content Type},{text:Config Version},{text:Generate time},{geoip:Host,ftype=sourceip,type=country:region:city;,},{text:Virtual System},{choice:cmd,ftype=command,add,clone.commit,delete,edit,move,rename,set},{text:Admin,ftype=username},{choice:client,Web,CLI},{choice:Result,ftype=status,Submitted,Succeeded,Failed,Unauthorized},{text:Configuration-path,ftype=path},{text:SequenceNumber},{text:ActionFlags},{text:dg_hier_level_1},{text:dg_hier_level_2},{text:dg_hier_level_3},{text:dg_hier_level_4},{text:Virtual System Name},{text:Device Name}{regexp:Event_Name,ftype=eventName;refName=configuration-path,config mgt-config users|config shared local-user-database user |config shared local-user-database user-group|config shared admin-role|config shared authentication-profile|config mgt-config password-profile}{regexp:Audited_Object,ftype=auditedobject;refName=configuration-path,(config mgt-config users|config shared local-user-database user |config shared local-user-database user-group |config shared admin-role|config shared authentication-profile|config mgt-config password-profile)[XPLG_PARAM](.*)}
For more information about the system log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
Domain | The domain which the messages was sent from. | {text:Domain,ftype=domain} | ftype=domain |
Receive Time | Time the log was received at the management plane. | {date:Recieve time,yyyy/MM/dd HH:mm:ss} |
|
Serial# | Serial number of the firewall that generated the log | {text:Serial#} |
|
Type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | ftype=eventSource |
Content/Threat Type | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Threat/Content Type} |
|
| Config Version | Config Version associated with the system log. | {text:Config Version} | |
Generate Time | Time the log was generated on the dataplane. | {text:Generate time} |
|
Virtual System | Virtual System associated with the system log. | {text:Virtual System} |
|
Event ID | String showing the name of the event. | {text:Event ID,ftype=eventName} | ftype=eventName |
Object | Name of the object associated with the system event. | {text:Object} |
|
| fmt | {text:fmt} | ||
| id | {text:id} | ||
Module | This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis. | {text:module,ftype=module} | ftype=module |
Severity | Severity associated with the event; values are informational, low, medium, high, critical. | {priority:Severity,ftype=status,Critical;High;Medium;Low;Informational} | ftype=status |
Username | Username associated with the event. | {regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*} | ftype=username |
Description | Detailed description of the event, up to a maximum of 512 bytes. | {text:Description,ftype=message} | ftype=message |
Sequence Number | A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. | {text:Sequence Number} |
|
Action Flags | A bit field indicating if the log was forwarded to Panorama | {text:Action Flags} |
|
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1},{text:dg_hier_level_2},{text:dg_hier_level_3},{text:dg_hier_level_4} |
|
Virtual System Name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name} |
|
Device Name | The hostname of the firewall on which the session was logged. | {text:Device Name} |
|
Sourceip | Sourceip which is associated with the event. | {regexp:Sourceip,ftype=sourceip;refName=Description,(From: |from )[XPLG_PARAM([^\s]+)].*} | ftype=sourceip |
For more information about the configuration log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
Domain | The domain which the messages was sent from. | {text:Domain,ftype=domain} | ftype=domain |
Receive Time | Time the log was received at the management plane. | {date:Recieve time,yyyy/MM/dd HH:mm:ss} |
|
Serial# | Serial number of the firewall that generated the log | {text:Serial#} |
|
Type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | ftype=eventSource |
Content/Threat Type | Subtype of the configuration log | {text:Threat/Content Type} | |
| Config Version | Config Version associated with the configuration log. | {text:Config Version} |
|
Generate Time | Time the log was generated on the dataplane. | {text:Generate time} |
|
Host | Hostname or IP address of the client machine | {geoip:Host,ftype=sourceip,type=country:region:city;,} | ftype=sourceip |
Virtual System | Virtual System associated with the configuration log. | {text:Virtual System} |
|
Command | Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set. | {choice:cmd,ftype=command,add,clone.commit,delete,edit,move,rename,set} | ftype=command |
Admin | Username of the Administrator performing the configuration | {text:Admin,ftype=username} | ftype=username |
Client | Client used by the Administrator; values are Web and CLI | {choice:client,Web,CLI} |
|
Result |
| {choice:Result,ftype=status,Submitted,Succeeded,Failed,Unauthorized} | ftype=status |
Configuration Path |
| {text:Configuration-path} | ftype=path |
Sequence Number | A 64bit log entry identifier incremented sequentially; each log type has a unique number space. | {text:SequenceNumber} |
|
Action Flags |
| {text:ActionFlags} |
|
Before Change Detail | It contains the full xpath before the configuration change. | {text:Before-change-detail} |
|
After Change Detail | It contains the full xpath after the configuration change. | {regexp:After-change-detail,^[^\,]*} |
|
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1},{text:dg_hier_level_2},{text:dg_hier_level_3},{text:dg_hier_level_4} |
|
Virtual System Name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name} |
|
Device Name | The hostname of the firewall on which the session was logged. | {text:Device Name} |
|
| Event_Name | The executed command. | {regexp:Event_Name,ftype=eventName;refName=configuration-path,config mgt-config users|config shared local-user-database user |config shared local-user-database user-group|config shared admin-role|config shared authentication-profile|config mgt-config password-profile} | ftype=eventName |
Audited_Object | The object (user,admin,group,policy) which the event was taken on him. | {regexp:Audited_Object,ftype=auditedobject;refName=configuration-path,(config mgt-config users|config shared local-user-database user |config shared local-user-database user-group |config shared admin-role|config shared authentication-profile|config mgt-config password-profile)[XPLG_PARAM](.*)} | ftype=auditedobject |
.