Configuring ArcSight CEF formatted Syslog events on your Palo Alto PA Series Networks Firewall device

Configure your Palo Alto Networks firewall to send ArcSight CEF formatted Syslog events to IBM QRadar.

Procedure

  1. Log in to the Palo Alto Networks interface.
  2. Click the Device tab.
  3. Select Server Profiles > Syslog.
  4. Click Add.
  5. Specify the name, server IP address, port, and facility of the QRadar system that you want to use as a Syslog server:
    1. The Name is the Syslog server name.
    2. The Syslog Server is the IP address for the Syslog server.
    3. The Transport default is UDP.
    4. The Port default is 514.
    5. The Faculty default is LOG_USER.
  6. To select any of the listed log types that define a custom format, based on the ArcSight CEF for that log type, complete the following steps:
    1. Click the Custom Log Format tab and select any of the listed log types to define a custom format based on the ArcSight CEF for that log type. The listed log types are Config, System, Threat, Traffic, and HIP Match.
    2. Click OK twice to save your entries, then click Commit.
  7. To define your own CEF-style formats that use the event mapping table that is provided in the ArcSight document, Implementing ArcSight CEF, you can use the following information about defining CEF style formats:
    1. The Custom Log Format tab supports escaping any characters that are defined in the CEF as special characters. For example, to use a backslash to escape the backslash and equal characters, enable the Escaping check box, specify \= as the Escaped Characters and \ as the Escape Character.
    2. The following list displays the CEF-style format that was used during the certification process for each log type. These custom formats include all of the fields, in a similar order, that the default format of the Syslogs display.
      Important: Due to PDF formatting, do not copy and paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.
      Traffic
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno
      Threat
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest
      Config
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno
      Optional: 
      cs1Label=Before Change Detail cs1=$before-change-detail cs2Label=After Change Detail cs2=$after-change-detail
      System
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$opaque externalId=$seqno cat=$eventid
      HIP Match
      CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$matchtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno cat=$matchname cs2Label=Operating System cs2=$os

What to do next

For more information about Syslog configuration, see the PAN-OS Administrator's Guide on the Palo Alto Networks website (https://www.paloaltonetworks.com).