Skip to main content
Sumo Logic

Collect Logs for Palo Alto Networks 6

This procedure documents how to collect logs from Palo Alto Networks 6 into Sumo Logic. 

Log Types

Parsing in the Sumo Logic app for PAN 6 is based on the PAN-OS Syslog integration, which is described in this document: PAN-OS Syslog Integration

Prerequisites/Requirements

  • Configure Syslog Monitoring for your Palo Alto Networks device, as described in Configure Syslog Monitoring in Palo Alto Networks help.
  • This app supports Palo Alto Networks v6.

Configure a Collector

Configure an Installed Collector or a Hosted source for Syslog-ng or Rsyslog.

Configure a Source

For Syslog, configure the Source fields:

  1. Name. (Required) A name is required.
  2. Description. Optional.
  3. Protocol. UDP or TCP
  4. Port. Port number.
  5. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.
  6. Click Save

For a Hosted source, use advanced settings as necessary, but save the endpoint URL associated in order to configure Palo Alto Networks.

Field Extraction Rules

When creating a Field Extraction Rule, you have the option to select from a template for Palo Alto Networks.

parse "*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*"
as f1,recvTime,serialNum,type,subtype,f2,genTime,src_ip,dest_ip,natsrc_ip,natdest_ip,
ruleName,src_user,dest_user,app,vsys,src_zone,dest_zone,ingress_if,egress_if,logProfile,
f3,sessionID,repeatCnt,src_port,dest_port,natsrc_port,natdest_port,flags,protocol,action,
misc,threatID,cat,severity,direction,seqNum,action_flags,src_loc,dest_loc,f4,content_type

Sample Log Message

<12>Dec 22 13:22:14 PA-5050 1,2016/12/22 13:22:14,002201002211,THREAT,vulnerability,1,2016/12/22 13:22:14,77.200.181.165,208.74.205.51,0.0.0.0,0.0.0.0,Alert Logging,,,web-browsing,vsys1,IDS,IDS,ethernet1/21,ethernet1/21,Sumo_Logic,2016/12/22 13:22:14,34403128,1,59305,80,0,0,0x80000000,tcp,alert,"1794",HTTP SQL Injection Attempt(38195),any,medium,client-to-server,128764886,0x0,NL,US,0,,1345817091864062106,,,1,,,,,,,,0
<11>Dec 22 13:08:28 PA-5050 1,2016/12/22 13:08:28,002201002211,THREAT,vulnerability,1,2016/12/22 13:08:28,46.148.24.108,208.74.205.51,0.0.0.0,0.0.0.0,Alert Logging,,,web-browsing,vsys1,IDS,IDS,ethernet1/21,ethernet1/21,Sumo_Logic,2016/12/22 13:08:28,34645066,1,38899,80,0,0,0x80000000,tcp,alert,"message",HTTP /etc/passwd Access Attempt(30852),any,high,client-to-server,128763724,0x0,UA,US,0,,1345817091864061211,,,1,,,,,,,,0
<14>Dec 22 16:24:05 AO-PA500-01.domain.local 1,2016/12/22 16:24:04,009401007189,TRAFFIC,drop,1,2016/12/22 16:24:04,45.55.255.28,184.18.215.26,0.0.0.0,0.0.0.0,deny untrust - logging,,,not-applicable,vsys1,untrust,untrust,ethernet1/1,,Log-Forwarding-01,2016/12/22 16:24:04,0,1,29272,2083,0,0,0x0,tcp,deny,92,92,0,1,2016/12/22 16:24:04,0,any,0,372320422,0x0,US,US,0,1,0,policy-deny,0,0,0,0,,AO-PA500-01,from-policy

Query Samples

Threat Type by Severity

_sourceCategory=palo_alto_network | parse "*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*" as f1,recvTime,serialNum,type,subtype,f2,genTime,src_ip,dest_ip,natsrc_ip,natdest_ip,ruleName,src_user,dest_user,app,vsys,src_zone,dest_zone,ingress_if,egress_if,logProfile,f3,sessionID,repeatCnt,src_port,dest_port,natsrc_port,natdest_port,flags,protocol,action,misc,threatID,cat,severity,direction,seqNum,action_flags,src_loc,dest_loc,f4,content_type | count as count by subtype,severity | transpose row severity column subtype