Configuring ArcSight CEF formatted Syslog events on your Palo Alto PA Series Networks Firewall device
Configure your Palo Alto Networks firewall to send ArcSight CEF formatted Syslog events to IBM® QRadar®.
Procedure
- Log in to the Palo Alto Networks interface.
- Click the Device tab.
- Select Server Profiles > Syslog.
- Click Add.
-
Specify the name, server IP address, port, and facility of the QRadar system that you want to use
as a Syslog server:
- The Name is the Syslog server name.
- The Syslog Server is the IP address for the Syslog server.
- The Transport default is UDP.
- The Port default is 514.
- The Faculty default is LOG_USER.
- To select any of the listed log types that define a custom format, based on the ArcSight
CEF for that log type, complete the following steps:
- Click the Custom Log Format tab and select any of the listed log types to define a custom format based on the ArcSight CEF for that log type. The listed log types are Config, System, Threat, Traffic, and HIP Match.
- Click OK twice to save your entries, then click Commit.
- To define your own CEF-style formats that use the event mapping table that is provided in
the ArcSight document, Implementing ArcSight CEF, you can use the following information
about defining CEF style formats:
- The Custom Log Format tab supports escaping any characters that are defined in the CEF as special characters. For example, to use a backslash to escape the backslash and equal characters, enable the Escaping check box, specify \= as the Escaped Characters and \ as the Escape Character.
- The following list displays the CEF-style format that was used during the
certification process for each log type. These custom formats include all of the fields, in a
similar order, that the default format of the Syslogs display. Important: Due to PDF formatting, do not copy and paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.
- Traffic
-
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno
- Threat
-
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest
- Config
-
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno
Optional:cs1Label=Before Change Detail cs1=$before-change-detail cs2Label=After Change Detail cs2=$after-change-detail
- System
-
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$opaque externalId=$seqno cat=$eventid
- HIP Match
-
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$matchtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno cat=$matchname cs2Label=Operating System cs2=$os
What to do next
For more information about Syslog configuration, see the PAN-OS Administrator's Guide on the Palo Alto Networks website (https://www.paloaltonetworks.com).