Skip to main content

Palo Alto Networks

Palo Alto Networks provides advanced protection, security and consistency across locations and clouds. This integration allows you to send logs from your Palo Alto Networks applications to your Logz.io SIEM account.

Guided configuration

Before you begin, you'll need:

Configure the firewall to forward logs to Filebeat

You'll need to configure your firewall to forward logs to your Filebeat server at port 6514 over UDP.

In your PAN-OS admin console, click the Device tab, and then select Server Profiles > Syslog from the left menu.

Click the Add button to open the Syslog Server Profile dialog, and give your profile a descriptive Name that includes "logzio".

Click Add to add a new server. Give your new server these settings:

  • Name: We recommend including "Filebeat" in the name.
  • Syslog Server: The IP address of your Filebeat server.
  • Transport: UDP
  • Port: 6514
  • Format: BSD
  • Facility: Leave as "LOG_USER"

Click OK to save the profile.

For more information, see Configure Syslog Monitoring from Palo Alto Networks.

Configure syslog forwarding

Click the Objects tab, and then select Log Forwarding from the left menu.

Click the Add button to open the Log Forwarding Profile dialog. Give your profile a Name and optional Description.

Click the Add button to open the Log Forwarding Profile Match List dialog. Choose a Log Type, and paste that log type in the Name box.

In the Syslog panel, click Add, and choose the server profile you created in step 1.

Click OK to save this log type.

Repeat this process for each log type you plan to send to Filebeat.

Click OK to save the log forwarding profile.

Configure the security policy rules

Click the Policies tab, and then select Security from the left menu.

Double-click a security policy, or create a new security policy, to open the Security Policy Rule dialog.

Click the Action tab, and select Log at Session Start and Log at Session End.

In the Log Forwarding list, choose the log forwarding profile you created in step 3.

Fill in the required information in tabs with a red squiggly underline.

Commit the changes to your firewall

In the upper right corner of the page, click Commit.

Select Commit All Changes, and click the Commit button to save.

Download the Logz.io public certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Add TCP traffic as an input

In the Filebeat configuration file (/etc/filebeat/filebeat.yml), add TCP to the filebeat.inputs section.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

note

Filebeat requires a file extension specified for the log input.

# ...
filebeat.inputs:
- type: udp
max_message_size: 10MiB
host: "0.0.0.0:6514"

fields:
logzio_codec: plain

# Your Logz.io account token. You can find your token at
# https://app.logz.io/#/dashboard/settings/manage-accounts
token: <<LOG-SHIPPING-TOKEN>>
type: paloalto
fields_under_root: true
encoding: utf-8
ignore_older: 3h

If you're running Filebeat 7, paste this code block. Otherwise, you can leave it out.

# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
fields:
- from: "agent"
to: "filebeat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true

If you're running Filebeat 6, paste this code block.

# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry
Set Logz.io as the output

If Logz.io is not an output, add it now. Remove all other outputs.

Replace <<LISTENER-HOST>> with the host for your region.

# ...
output.logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.