Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Palo Alto Endpoint Security Manager

    The JSA DSM for Palo Alto Endpoint Security Manager (Traps) collects events from a Palo Alto Endpoint Security Manager (Traps) device.

    The following table describes the specifications for the Palo Alto Endpoint Security Manager DSM:

    Table 1: Palo Alto Endpoint Security Manager DSM specifications

    Specification

    Value

    Manufacturer

    Palo Alto Networks

    DSM name

    Palo Alto Endpoint Security Manager

    RPM file name

    DSM-PaloAltoEndpointSecurityManager-JSA_version-build_number.noarch.rpm

    Supported versions

    3.4.2.17401

    Protocol

    Syslog

    Event format

    Log Event Extended Format (LEEF)

    Common Event Format (CEF)

    Recorded event types

    Agent

    Config

    Policy

    System

    Threat

    Automatically discovered?

    Yes

    Includes identity?

    No

    Includes custom properties?

    No

    More information

    Palo Alto Networks website (https://www.paloaltonetworks.com)

    To integrate Palo Alto Endpoint Security Manager with JSA, complete the following steps:

    1. If automatic updates are not enabled, download and install the most recent version of the following RPMs, in the order that they are listed, on your JSA console:

      • DSMCommon RPM

      • Palo Alto Endpoint Security Manager DSM RPM

    2. Configure your Palo Alto Endpoint Security Manager device to send syslog events to JSA.

    3. If JSA does not automatically detect the log source, add a Palo Alto Endpoint Security Manager log source on the JSA console. The following table describes the parameters that require specific values for Palo Alto Endpoint Security Manager event collection:

      Table 2: Palo Alto Endpoint Security Manager log source parameters

      Parameter

      Value

      Log Source type

      Palo Alto Endpoint Security Manager

      Protocol Configuration

      Syslog

      Log Source Identifier

      A unique identifier for the log source.

    4. To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.

      The following table shows a sample event message for Palo Alto Endpoint Security Manager:

      Table 3: Palo Alto Endpoint Security Manager sample message

      Event name

      Low level category

      Sample log message

      New Hash Added

      Successful Configuration Modification

      LEEF:1.0|Palo Alto Networks|Traps ESM|3.4.2.17401| New Hash Added|cat=Policy subtype=New Hash Added devTimeFormat= MMM dd yyyy HH:mm:ss devTime=Nov 03 2016 18:43:57 src=1.1.1.1 shost=hostname suser= fileHash= 3afc065fa2f611ba3865397efd2 cac229a387eb2c1d7b650317f2 df7359b9da3 NewVerdict=Benign msg=New hash added sev=6

    Configuring Palo Alto Endpoint Security Manager to communicate with JSA

    Before JSA can collect events from Palo Alto Endpoint Security Manager, you must configure Palo Alto Endpoint Security Manager to send events to JSA.

    1. Log in to the Endpoint Security Manager (ESM) Console.
    2. Click Settings > ESM.
    3. Click Syslog, and then select Enable Syslog.
    4. Configure the syslog parameters:

      Parameter

      Value

      Syslog Server

      Host name or IP address of the JSA server.

      Syslog Port

      514

      Syslog Protocol

      LEEF

      Keep-alive-timeout

      0

      Send reports interval

      Frequency (in minutes), in which Traps sends logs from the endpoint. The default is 10. The range is 1 - 2,147,483,647.

      Syslog Communication Protocol

      Transport layer protocol that the ESM Console uses to send syslog reports by using UDP, TCP, or TCP with SSL.

    5. In the Logging Events area, select the types of events that you want to send to JSA.
    6. Click Check Connectivity. The ESM Console sends a test communication to the syslog server by using the information on the Syslog page. If the test message is not received, verify that the settings are correct, and then try again.

    Modified: 2017-05-29