Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating a Syslog Destination on Your Palo Alto Device

    To send Palo Alto events to JSA, create a syslog destination on the Palo Alto PA Series device.

    1. Log in to the Palo Alto Networks interface.
    2. Click the Device tab.
    3. Click Server Profiles > Syslog.
    4. Click Add.
    5. Create a syslog destination:
      1. In the Syslog Server Profile dialog box, click Add.

      2. Specify the name, server IP address, port, and facility of the JSA system that you want to use as a syslog server.

      3. Click OK.

    6. Configure LEEF events:

      Note: If you are using syslog, choose the default option.

      Note: The line breaks in these examples will cause this configuration to fail. For each of the substeps, copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom Format column.

      1. Click the Custom Log Format tab.

      2. Copy the following text and paste it in the Custom Format column for the Config log type.

        • PAN-OS v3.0 - v6.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$result|cat=$type|usrName
          =$admin|src=$host|devTime=$cef-formatted-receive_time|client=$client|sequence=
          $seqno|serial=$serial|msg=$cmd
        • PAN-OS v7.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version
          |$result|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|devTime=$cef
          -formatted-receive_time|src=$host|VirtualSystem=$vsys|msg=$cmd|usrName=$admin|
          client=$client|Result=$result|ConfigurationPath=$path|sequence=$seqno|ActionFlags
          =$actionflags|BeforeChangeDetail=$before-change-detail|AfterChangeDetail=$after-
          change-detail|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_
          hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_
          hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name
      3. Copy the following text and paste it in the Custom Format column for the System log type.

        • PAN-OS v3.0 - v6.1--

          LEEF:1.0|PaloAlto Networks|PAN-OS Syslog Integration|4.0|$eventid
          |cat=$type|subtype=$subtype|devTime=$cef-formatted-receive_time|sev=$severity|
          Severity=$number-of-severity|msg=$opaque|Filename=$object
        • PAN-OS v7.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version
          |$eventid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|subtype=$subtype
          |devTime=$cef-formatted-receive_time|VirtualSystem=$vsys|Filename=$object| Module=
          $module|sev=$number-of-severity|Severity=$severity|msg=$opaque| sequence=$seqno|
          ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2
          =$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_
          hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name
      4. Copy the following text and paste it in the Custom Format column for the Threat log type.

        • PAN-OS v3.0 - v6.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$threatid|cat=$type
          |subtype=$subtype|src=$src|dst=$dst|srcPort=$sport|dstPort=$dport|proto=$proto
          |usrName=$srcuser|SerialNumber=$serial|srcPostNAT=$natsrc|dstPostNAT=$natdst
          |RuleName=$rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app
          |VirtualSystem=$vsys|SourceZone=$fromDestinationZone=$to|IngressInterface=$inbound_if
          |EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid
          |RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport
          |Flags=$flags|URLCategory=$category|sev=$severity|Severity=$number-of-severity
          |Direction=$direction|ContentType=$contenttype|action=$action|Miscellaneous=$misc
        • PAN-OS v7.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender
          _sw_version|$threatid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type
          |subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|srcPostNAT
          =$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|
          DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
          DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
          LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort
          =$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=
          $flags|proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|
          URLCategory=$category|sev=$number-of-severity|Severity=$severity|Direction=$
          direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc
          |DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest
          =$filedigest|Cloud=$cloud|URLIndex=$url_idx|UserAgent=$user_agent|FileType=
          $filetype|identSrc=$xff|Referer=$referer|Sender=$sender|Subject=$subject|Recipient
          =$recipient|ReportID=$reportid|DeviceGroupHierarchyL1=$dg_hier_level_1|
          DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|
          DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name
      5. Copy the following text and paste it in the Custom Format column for the Traffic log type.

        • PAN-OS v3.0 - v6.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$action|cat=$type|src=$src
          |dst=$dst|srcPort=$sport|dstPort=$dport|proto=$proto|usrName=$srcuser| SerialNumber=
          $serial|Type=$type|Subtype=$subtype|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=
          $rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app| VirtualSystem=
          $vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if
          |EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid|
          RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags
          |totalBytes=$bytes|totalPackets=$packets|ElapsedTime=$elapsed|URLCategory=$category
          |dstBytes=$bytes_received|srcBytes=$bytes_sent|action=$action
        • PAN-OS v7.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender
          _sw_version|$action|cat=$type|ReceiveTime=$receive_time|SerialNumber=$serial|Type=
          $type|subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|
          srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=
          $srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone
          =$from|DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound
          _if|LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|
          srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|
          Flags=$flags|proto=$proto|action=$action|totalBytes=$bytes|dstBytes=$bytes_received
          |srcBytes=$bytes_sent|totalPackets=$packets|StartTime=$start|ElapsedTime=$elapsed|
          URLCategory=$category|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=
          $srcloc|DestinationLocation=$dstloc|dstPackets=$pkts_received|srcPackets=$pkts_
          sent|SessionEndReason=$session_end_reason|DeviceGroupHierarchyL1=$dg_hier_level_1
          |DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|
          DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|
          ActionSource=$action_source
      6. Copy the following text and paste it in the Custom Format column for the HIP Match log type. Omit this step is you are using PAN-OS v3.0 - v6.1.

        • PAN-OS v7.1--

          LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender
          _sw_version|$matchname|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type
          |subtype=$subtype|devTime=$cef-formatted-receive_time|usrName=$srcuser|
          VirtualSystem=$vsys|identHostName=$machinename|OS=$os|identSrc=$src|HIP=$matchname
          |RepeatCount=$repeatcnt|HIPType=$matchtype|sequence=$seqno|ActionFlags=$actionflags
          |DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
          DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
          vSrcName=$vsys_name|DeviceName=$device_name

          Note: DeviceGroupHierarchy and URLIndex fields are included for completeness and consistency. However, these fields are experimental and should be used only for archival purposes.

    7. Click OK.
    8. Specify the severity of events that are contained in the syslog messages.
      1. Click Log Setting > System and then click Edit.

      2. Select the check box for each event severity level that you want contained in the syslog message.

      3. Type the name of the syslog destination.

      4. Click OK.

    9. Click the Device tab and then click Commit.

    To allow communication between your Palo Alto Networks device and JSA, create a forwarding policy. See Creating a Forwarding Policy on Your Palo Alto Device.

    Modified: 2017-09-13