Ingest Next-Generation Firewall logs using the Syslog collector - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-11-12
Category
Administrator Guide
Abstract

Use the Syslog collector to ingest NGFW logs in CEF format. This method is useful when your firewalls are located in a different region, or bandwidth issues are encountered due to large log size.

Use the Syslog collector to ingest Next-Generation Firewall (NGFW) logs in CEF format. This method is useful when your firewalls are located in a different region, or bandwidth issues are encountered due to large log size. This solution provides similar protection, out-of-the-box data modeling and analytics to logs ingested into Strata Logging Service.

Note

In the following procedure, general information is provided for NGFW and Panorama. For detailed instructions, consult the documentation for your specific devices and Panorama version, to ensure that you have configured log forwarding correctly for all the log types that you would like to forward to Cortex XSIAM. The following steps only cover configuration of the custom log schema (CEF) for a given syslog server. They do not replace the administrator guide’s configuration coverage of log forwarding.

Configure the firewall/Panorama for log forwarding to Cortex XSIAM
  1. To configure the device to include its IP address in the header of Syslog messages, select Panorama/Device → Setup → Management, click the Edit icon in the Logging and Reporting Settings section, and navigate to the Log Export and Reporting tab.

  2. From the Syslog HOSTNAME Format menu, select ipv4-address or ipv6-address, and click OK.

  3. Select Device → Server Profiles → Syslog, and click Add.

  4. Enter a server profile Name and Location (Location refers to a virtual system, if the device is enabled for virtual systems).

  5. On the Servers tab of the Syslog Server Profiles window, click Add, and enter the following information for the Syslog server:

    • Name

    • Syslog Server (IP address)

    • Transport, Port (default 514 for UDP)

    • Facility (default LOG_USER)

  6. Select the Custom Log Format tab and click configure the log formats as follows:

    Note

    To avoid the possible effects of line formatting, do not copy/paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.

    Note

    From version 10.0 and later, the log format documented for log types (Traffic, Threat, and URL) exceeds the maximum supported 2048 characters in the Custom Log Format tab on the firewall and Panorama. Select the CEF keys and values to limit the number of characters to 2048, as per your requirements.

    Log Type

    Custom Format

    Traffic

    CEF:0|PANW|NGFW_CEF|$sender_sw_version|$subtype|$type|1| __firewall_type=firewall.traffic __timestamp=$start __tz=$high_res_timestamp log_type=$type subtype=$subtype log_time=$cef-formatted-receive_time time_generated=$cef-formatted-time_generated log_source_id=$serial log_source_name=$device_name sequence_no=$seqno source_ip=$src dest_ip=$dst source_port=$sport dest_port=$dport nat_source=$natsrc nat_dest=$natdst nat_source_port=$natsport nat_dest_port=$natdport protocol=$proto action=$action source_user=$srcuser dest_user=$dstuser xff_ip=$xff_ip app=$app app_category=$category_of_app app_sub_category=$subcategory_of_app rule_matched=$rule rule_matched_uuid=$rule_uuid severity=1 vsys=$vsys vsys_name=$vsys_name from_zone=$from to_zone=$to inbound_if=$inbound_if outbound_if=$outbound_if session_id=$sessionid source_device_category=$src_category source_device_profile=$src_profile source_device_model=$src_model source_device_vendor=$src_vendor source_device_osfamily=$src_osfamily source_device_osversion=$src_osversion source_device_mac=$src_mac dest_device_category=$dst_category dest_device_profile=$dst_profile dest_device_model=$dst_model dest_device_vendor=$dst_vendor dest_device_osfamily=$dst_osfamily dest_device_osversion=$dst_osversion dest_device_mac=$dst_mac bytes_sent=$bytes_sent bytes_received=$bytes_received packets_received=$pkts_received packets_sent=$pkts_sent total_time_elapsed=$elapsed session_end_reason=$session_end_reason url_category=$category

    Threat

    CEF:0|PANW|NGFW_CEF|$sender_sw_version|$threatid|$type|$number-of-severity| __firewall_type=firewall.threat __timestamp=$cef-formatted-time_generated __tz=$high_res_timestamp log_type=$type subtype=$subtype log_time=$cef-formatted-receive_time time_generated=$cef-formatted-time_generated log_source_id=$serial log_source_name=$device_name sequence_no=$seqno source_ip=$src dest_ip=$dst source_port=$sport dest_port=$dport nat_source=$natsrc nat_dest=$natdst nat_source_port=$natsport nat_dest_port=$natdport protocol=$proto action=$action source_user=$srcuser dest_user=$dstuser xff=$xff xff_ip=$xff_ip app=$app app_category=$category_of_app app_sub_category=$subcategory_of_app rule_matched=$rule rule_matched_uuid=$rule_uuid severity=$number-of-severity vsys=$vsys vsys_name=$vsys_name from_zone=$from to_zone=$to inbound_if=$inbound_if outbound_if=$outbound_if session_id=$sessionid source_device_category=$src_category source_device_profile=$src_profile source_device_model=$src_model source_device_vendor=$src_vendor source_device_osfamily=$src_osfamily source_device_osversion=$src_osversion source_device_mac=$src_mac dest_device_category=$dst_category dest_device_profile=$dst_profile dest_device_model=$dst_model dest_device_vendor=$dst_vendor dest_device_osfamily=$dst_osfamily dest_device_osversion=$dst_osversion dest_device_mac=$dst_mac misc=$misc threat_id=$threatid threat_name=$threat_name threat_category=$thr_category direction=$direction user_agent=$user_agent

    URL

    CEF:0|PANW|NGFW_CEF|$sender_sw_version|$subtype|$type|$number-of-severity| __firewall_type=firewall.url __timestamp=$cef-formatted-time_generated __tz=$high_res_timestamp log_type=$type subtype=$subtype log_time=$cef-formatted-receive_time time_generated=$cef-formatted-time_generated log_source_id=$serial log_source_name=$device_name sequence_no=$seqno source_ip=$src dest_ip=$dst source_port=$sport dest_port=$dport nat_source=$natsrc nat_dest=$natdst nat_source_port=$natsport nat_dest_port=$natdport protocol=$proto action=$action source_user=$srcuser dest_user=$dstuser xff=$xff xff_ip=$xff_ip app=$app app_category=$category_of_app app_sub_category=$subcategory_of_app rule_matched=$rule rule_matched_uuid=$rule_uuid severity=$number-of-severity vsys=$vsys vsys_name=$vsys_name from_zone=$from to_zone=$to inbound_if=$inbound_if outbound_if=$outbound_if session_id=$sessionid source_device_category=$src_category source_device_profile=$src_profile source_device_model=$src_model source_device_vendor=$src_vendor source_device_osfamily=$src_osfamily source_device_osversion=$src_osversion source_device_mac=$src_mac dest_device_category=$dst_category dest_device_profile=$dst_profile dest_device_model=$dst_model dest_device_vendor=$dst_vendor dest_device_osfamily=$dst_osfamily dest_device_osversion=$dst_osversion dest_device_mac=$dst_mac uri=$misc threat_id=$threatid threat_name=$threat_name threat_category=$thr_category direction=$direction user_agent=$user_agent url_category=$category url_category_list=$url_category_list content_type=$contenttype http_method=$http_method http_headers=$http_headers http2_connection=$http2_connection referer=$referer pcap_id=$pcap_id

    File Data

    CEF:0|PANW|NGFW_CEF|$sender_sw_version|$threatid|$type|$number-of-severity| __firewall_type=firewall.filedata __timestamp=$cef-formatted-time_generated __tz=$high_res_timestamp log_type=$type subtype=$subtype log_time=$cef-formatted-receive_time time_generated=$cef-formatted-time_generated log_source_id=$serial log_source_name=$device_name sequence_no=$seqno source_ip=$src dest_ip=$dst source_port=$sport dest_port=$dport nat_source=$natsrc nat_dest=$natdst nat_source_port=$natsport nat_dest_port=$natdport protocol=$proto action=$action source_user=$srcuser dest_user=$dstuser xff=$xff xff_ip=$xff_ip app=$app app_category=$category_of_app app_sub_category=$subcategory_of_app rule_matched=$rule rule_matched_uuid=$rule_uuid severity=$number-of-severity vsys=$vsys vsys_name=$vsys_name from_zone=$from to_zone=$to inbound_if=$inbound_if outbound_if=$outbound_if session_id=$sessionid source_device_category=$src_category source_device_profile=$src_profile source_device_model=$src_model source_device_vendor=$src_vendor source_device_osfamily=$src_osfamily source_device_osversion=$src_osversion source_device_mac=$src_mac dest_device_category=$dst_category dest_device_profile=$dst_profile dest_device_model=$dst_model dest_device_vendor=$dst_vendor dest_device_osfamily=$dst_osfamily dest_device_osversion=$dst_osversion dest_device_mac=$dst_mac misc=$misc threat_id=$threatid threat_name=$threat_name threat_category=$thr_category direction=$direction user_agent=$user_agent file_url=$file_url filedigest=$filedigest filetype=$filetype pcap_id=$pcap_id

  7. Configure Escaping characters as follows:

    • Escaped Characters: \=

    • Escape Character: \

    Syslog_settings_NGFW_log_collection.png
Configure Syslog collection

Set up a Syslog collector for the logs, as explained in Activate Syslog Collector. In Task 4, ensure that you set Format to CEF.Activate Syslog Collector