Skip to main content
Sumo Logic

Collect Logs for Palo Alto Networks 8

Collect logs for the Palo Alto Networks 8 app.

This page has instructions for collecting logs for the Palo Alto Networks 8 app.

Log Types

Parsing in the Sumo Logic app for PAN 8  is based on the PAN-OS Syslog integration, which is described in this document: PAN-OS Syslog Integration

Prerequisites/Requirements

Configure a collector and source

In this step you configure a installed collector with a Syslog source that will act as Syslog server to receive logs and events from Palo Alto Networks 8 devices.

  1. Configure an Installed Collector
  2. Add a Syslog source to the installed collector:
    1. Name. (Required) A name is required.
    2. Description. Optional.
    3. Protocol. UDP or TCP.  Choose the protocol you configured in Palo Alto Networks 8 for Syslog monitoring.
    4. Port. Port number. Choose the port you configured in Palo Alto Networks 8 for Syslog monitoring.
    5. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.
    6. Click Save

Field Extraction Rules

When creating a Field Extraction Rule, you have the option to select from a template for Palo Alto Networks.

 

Sample Log Messages

Config Log Sample 

Sep 05 12:30:11 SumoStg05 1,2018/09/05 12:30:11,012345678902,CONFIG,0,0,2018/09/05 12:30:11,34.75.147.122,,commit-all,duc,Panorama,Succeeded,,0123456789,0x8000000000000000,0,0,0,0,,SumoStg05

Correlation Log Sample 

Sep 05 12:00:22 1,2018/09/05 12:00:22,012345678902,CORRELATION,,,2018/09/05 12:00:22,11.95.8.142,npande,,compromised-host,medium,0,0,0,0,,us2,,beacon-heuristics,6005,"Host visited known malware URL (100 times).

System Log Sample 

Sep 05 12:40:15 SumoQA01a 0,2018/09/05 12:40:15,012345678902,SYSTEM,url-filtering,0,2018/09/05 12:40:15,,upgrade-url-database-success,,0,0,general,informational,PAN-DB was upgraded to version 20170529.40084.,538241,0x8000000000000000,0,0,0,0,,SumoQA01a

Threat Log Sample 

Sep 05 12:44:11 SumoStg05 0,2018/09/05 12:44:11,012345678902,THREAT,vulnerability,0,2018/09/05 12:44:11,174.234.40.32,240.84.174.144,,,General Web Infrastructure,,duc,web-browsing,vsys1,z2-FW-Sumo-Internal,inside,ethernet1/2,ethernet1/2,LOGreset-both,2018/09/05 12:44:11,320228,1,80,1296,0,0,0x2000,tcp,alert,"adcount.ohmynews.com/js.kti/ohmynews2007/article70@thumbnail3",Suspicious Abnormal HTTP Response Found(40397),news,informational,server-to-client,1077387368,0x8000000000000000,India,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,31,43,0,0,,us3,,,,,0,,0,,N/A,protocol-anomaly,AppThreat-52239-48642,0x0

Traffic Log Sample

Sep 05 12:45:15 SumoStg05 0,2018/09/05 12:45:15,012345678901,TRAFFIC,end,0,2018/09/05 12:45:15,182.80.119.50,176.164.175.181,,,Unexpected Traffic,,npande,ping,vsys3,z1-FW-Transit,z3-Sumo-DMZ,ethernet1/2,ethernet1/2,LOGreset-both,2018/09/05 12:45:15,9434,1,0,0,0,0,0x100064,icmp,allow,122,122,0,1,2018/09/05 12:45:15,0,any,0,5134220147,0x8000000000000000,United States,10.0.0.0-10.255.255.255,0,1,0,aged-out,31,42,0,0,,SumoStg05,from-policy,,,0,,0,,N/A

Traps V4 Sample

Sep 05 12:30:15 Host CEF:0|Palo Alto Networks|Traps Agent|3.4.3.19949|Client License Request|Agent|3|rt=Sep 05 12:30:15 dhost=preprod_Linux_SumoQA01a duser=administrator msg=New license request
 

Query Sample

Virus Threats

_sourceCategory=Loggen/PAN/Threat THREAT (virus or "wildfire-virus")
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action, 32 as urlORFileName, 33 as Threat_Content_Name, 34 as category, 35 as severity, 36 as direction, 37 as seqNum, 38 as action_flags, 39 as src_country, 40 as dest_country, 41 as f4, 42 as content_type, 43 as pcap_id, 44 as filedigest, 45 as cloud, 46 as url_idx, 47 as user_agent, 48 as filetype, 49 as xff, 50 as referer, 51 as sender, 52 as subject, 53 as recipient, 54 as reportid, 55 as Device_Group_Hierarchy, 56 as vsys_name, 57 as DeviceName, 58 as f5, 59 as Source_VM_UUID, 60 as Destination_VM_UUID, 61 as Parent_Session_ID, 62 as Tunnel_ID_IMSI, 63 as Monitor_Tag_IMEI, 64 as method, 65 as parent_start_time, 66 as Tunnel, 67 as thr_category, 68 as contentver, 69 as f6, 70 as SCTP_Association_ID, 71 as Payload_Protocol_ID, 72 as http_headers
| where type = "THREAT" and subtype in ("virus","wildfire-virus") and severity != "informational"
| count as eventCount by Severity
| sort by eventCount, Severity