Skip to main content
Sumo Logic

Collect Logs for Palo Alto Networks 8

Collect logs for the Palo Alto Networks 8 app.

This page has instructions for collecting logs for the Palo Alto Networks 8 app.

Log Types

Parsing in the Sumo Logic app for PAN 8  is based on the PAN-OS Syslog integration, which is described in this document: PAN-OS Syslog Integration

Prerequisites/Requirements

Configure a collector and source

In this step you configure a installed collector with a Syslog source that will act as Syslog server to receive logs and events from Palo Alto Networks 8 devices.

  1. Configure an Installed Collector
  2. Add a Syslog source to the installed collector:
    1. Name. (Required) A name is required.
    2. Description. Optional.
    3. Protocol. UDP or TCP.  Choose the protocol you configured in Palo Alto Networks 8 for Syslog monitoring.
    4. Port. Port number. Choose the port you configured in Palo Alto Networks 8 for Syslog monitoring.
    5. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.
    6. Click Save

Field Extraction Rules

System Log Parsing

_sourceCategory=Loggen/PAN/System ",SYSTEM,"
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as vsys, 9 as eventID, 10 as Object, 11 as f3, 12 as f4, 13 as Module, 14 as severity, 15 as description, 16 as seqNum, 17 as action_flags, 18 as Device_Group_Hierarchy, 19 as vsys_name, 20 as DeviceName

Threat Log parsing

_sourceCategory=Loggen/PAN/Threat THREAT 
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action, 32 as urlORFileName, 33 as Threat_Content_Name, 34 as category, 35 as severity, 36 as direction, 37 as seqNum, 38 as action_flags, 39 as src_country, 40 as dest_country, 41 as f4, 42 as content_type, 43 as pcap_id, 44 as filedigest, 45 as cloud, 46 as url_idx, 47 as user_agent, 48 as filetype, 49 as xff, 50 as referer, 51 as sender, 52 as subject, 53 as recipient, 54 as reportid, 55 as Device_Group_Hierarchy, 56 as vsys_name, 57 as DeviceName, 58 as f5, 59 as Source_VM_UUID, 60 as Destination_VM_UUID, 61 as Parent_Session_ID, 62 as Tunnel_ID_IMSI, 63 as Monitor_Tag_IMEI, 64 as method, 65 as parent_start_time, 66 as Tunnel, 67 as thr_category, 68 as contentver, 69 as f6, 70 as SCTP_Association_ID, 71 as Payload_Protocol_ID, 72 as http_headers

Correlation Log Parsing

_sourceCategory=Loggen/PAN/Correlation ",CORRELATION,"
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as src_user, 10 as vsys, 11 as Category, 12 as Severity, 13 as Device_Group_Hierarchy, 14 as vsys_name, 15 as DeviceName, 16 as vSysID, 17 as Object_Name, 18 as Object_ID, 19 as Evidence

Configuration Log Parsing

_sourceCategory=Loggen/PAN/Config ",CONFIG,"
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as src_user, 10 as cmd, 11 as admin, 12 as client, 13 as result, 14 as path, 15 as seqno, 16 as action_flags, 17 as vsys, 18 as before_change_detail, 19 as after_change_detail, 20 as Device_Group_Hierarchy, 21 as vsys_name, 22 as DeviceName

TrapsV4 Log Parsing

_sourceCategory=Loggen/PAN/TrapsV4 CEF "|Palo Alto Networks|"
| parse "CEF:0|Palo Alto Networks|*|*|*|Agent|*|rt=* dhost=* duser=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, dhost, duser, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Policy|*|rt=* shost=* suser=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, shost, suser, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|System|*|rt=* shost=* suser=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, shost, suser, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|System|*|rt=* shost=* duser=* management core fname=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, shost, duser, fname, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Config|*|rt=* shost=* suser=* dhost=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, shost, suser, dhost, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Agent|*|rt=* dhost=* duser=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, dhost, duser, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Agent|*|rt=* shost=* suser=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, shost, suser, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Agent|*|rt=* dhost=* duser=* deviceProcessName=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, dhost, duser, deviceProcessName, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Agent|*|rt=* dhost=* duser=* cs4Label=* cs4=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, dhost, duser, cs4Label, cs4, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Threat|*|rt=* shost=* duser=* cs2Label=* cs2=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, shost, duser, cs2Label, cs2, msg nodrop
| parse "CEF:0|Palo Alto Networks|*|*|*|Threat|*|rt=* dhost=* duser=* cs2Label=* cs2=* deviceProcessName=* fileHash=* cs3Label=* cs3=* dvc=* msg=*" as TrapsComponent, productVersion, event, ExternalSeverity, rt, dhost, duser, cs2Label, cs2, deviceProcessName, fileHash, cs3Label, cs3, dvc, msg nodrop
| parse field = msg "Agent Service Status Changed: *-> *" as oldStatus, newStatus nodrop
| parse field = msg " received new content- version *" as contentVersion nodrop
| parse field = msg "Content version was * to * successfully" as action, contentVersion nodrop 
| parse field = msg "Access Violation- child process: *" as childProcess nodrop
| parse field = msg "New Notification event. Prevention Key: *" as preventionKey nodrop 
| parse field = cs2 "WildFire Unknown deviceProcessName=* fileHash=*" as deviceProcessName, fileHash nodrop 

Traffic Log Parsing

_sourceCategory=Loggen/PAN/Traffic TRAFFIC
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action,32 as bytes, 33 as bytes_sent, 34 as bytes_recv, 35 as Packets, 36 as StartTime, 37 as ElapsedTime, 38 as Category, 39 as f4, 40 as seqNum, 41 as ActionFlags, 42 as src_Country, 43 as dest_country, 44 as pkts_sent, 45 as pkts_received, 46 as session_end_reason, 47 as Device_Group_Hierarchy , 48 as vsys_Name, 49 as DeviceName, 50 as action_source, 51 as Source_VM_UUID, 52 as Destination_VM_UUID, 53 as Tunnel_ID_IMSI, 54 as Monitor_Tag_IMEI, 55 as Parent_Session_ID, 56 as parent_start_time, 57 as Tunnel, 58 as SCTP_Association_ID, 59 as SCTP_Chunks, 60 as SCTP_Chunks_Sent, 61 as SCTP_Chunks_Received

 

Sample Log Messages

Config Log Sample 

Sep 05 12:30:11 SumoStg05 1,2018/09/05 12:30:11,012345678902,CONFIG,0,0,2018/09/05 12:30:11,34.75.147.122,,commit-all,duc,Panorama,Succeeded,,0123456789,0x8000000000000000,0,0,0,0,,SumoStg05

Correlation Log Sample 

Sep 05 12:00:22 1,2018/09/05 12:00:22,012345678902,CORRELATION,,,2018/09/05 12:00:22,11.95.8.142,npande,,compromised-host,medium,0,0,0,0,,us2,,beacon-heuristics,6005,"Host visited known malware URL (100 times).

System Log Sample 

Sep 05 12:40:15 SumoQA01a 0,2018/09/05 12:40:15,012345678902,SYSTEM,url-filtering,0,2018/09/05 12:40:15,,upgrade-url-database-success,,0,0,general,informational,PAN-DB was upgraded to version 20170529.40084.,538241,0x8000000000000000,0,0,0,0,,SumoQA01a

Threat Log Sample 

Sep 05 12:44:11 SumoStg05 0,2018/09/05 12:44:11,012345678902,THREAT,vulnerability,0,2018/09/05 12:44:11,174.234.40.32,240.84.174.144,,,General Web Infrastructure,,duc,web-browsing,vsys1,z2-FW-Sumo-Internal,inside,ethernet1/2,ethernet1/2,LOGreset-both,2018/09/05 12:44:11,320228,1,80,1296,0,0,0x2000,tcp,alert,"adcount.ohmynews.com/js.kti/ohmynews2007/article70@thumbnail3",Suspicious Abnormal HTTP Response Found(40397),news,informational,server-to-client,1077387368,0x8000000000000000,India,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,31,43,0,0,,us3,,,,,0,,0,,N/A,protocol-anomaly,AppThreat-52239-48642,0x0

Traffic Log Sample

Sep 05 12:45:15 SumoStg05 0,2018/09/05 12:45:15,012345678901,TRAFFIC,end,0,2018/09/05 12:45:15,182.80.119.50,176.164.175.181,,,Unexpected Traffic,,npande,ping,vsys3,z1-FW-Transit,z3-Sumo-DMZ,ethernet1/2,ethernet1/2,LOGreset-both,2018/09/05 12:45:15,9434,1,0,0,0,0,0x100064,icmp,allow,122,122,0,1,2018/09/05 12:45:15,0,any,0,5134220147,0x8000000000000000,United States,10.0.0.0-10.255.255.255,0,1,0,aged-out,31,42,0,0,,SumoStg05,from-policy,,,0,,0,,N/A

Traps V4 Sample

Sep 05 12:30:15 Host CEF:0|Palo Alto Networks|Traps Agent|3.4.3.19949|Client License Request|Agent|3|rt=Sep 05 12:30:15 dhost=preprod_Linux_SumoQA01a duser=administrator msg=New license request
 

Query Sample

Virus Threats

_sourceCategory=Loggen/PAN/Threat THREAT (virus or "wildfire-virus")
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action, 32 as urlORFileName, 33 as Threat_Content_Name, 34 as category, 35 as severity, 36 as direction, 37 as seqNum, 38 as action_flags, 39 as src_country, 40 as dest_country, 41 as f4, 42 as content_type, 43 as pcap_id, 44 as filedigest, 45 as cloud, 46 as url_idx, 47 as user_agent, 48 as filetype, 49 as xff, 50 as referer, 51 as sender, 52 as subject, 53 as recipient, 54 as reportid, 55 as Device_Group_Hierarchy, 56 as vsys_name, 57 as DeviceName, 58 as f5, 59 as Source_VM_UUID, 60 as Destination_VM_UUID, 61 as Parent_Session_ID, 62 as Tunnel_ID_IMSI, 63 as Monitor_Tag_IMEI, 64 as method, 65 as parent_start_time, 66 as Tunnel, 67 as thr_category, 68 as contentver, 69 as f6, 70 as SCTP_Association_ID, 71 as Payload_Protocol_ID, 72 as http_headers
| where type = "THREAT" and subtype in ("virus","wildfire-virus") and severity != "informational"
| count as eventCount by Severity
| sort by eventCount, Severity