Before you begin, you’ll need:
Configure the firewall to forward logs to Filebeat
You’ll need to configure your firewall to forward logs to your Filebeat server at port 6514 over UDP.
In your PAN-OS admin console, click the Device tab, and then select Server Profiles > Syslog from the left menu.
Click the Add button to open the Syslog Server Profile dialog, and give your profile a descriptive Name that includes “logzio”.
Click Add to add a new server. Give your new server these settings:
- Name: We recommend including “Filebeat” in the name.
- Syslog Server: The IP address of your Filebeat server.
- Transport: UDP
- Port: 6514
- Format: BSD
- Facility: Leave as “LOG_USER”
Click OK to save the profile.
For more information, see Configure Syslog Monitoring from Palo Alto Networks.
Configure syslog forwarding
Click the Objects tab, and then select Log Forwarding from the left menu.
Click the Add button to open the Log Forwarding Profile dialog. Give your profile a Name and optional Description.
Click the Add button to open the Log Forwarding Profile Match List dialog. Choose a Log Type, and paste that log type in the Name box.
In the Syslog panel, click Add, and choose the server profile you created in step 1.
Click OK to save this log type.
Repeat this process for each log type you plan to send to Filebeat.
Click OK to save the log forwarding profile.
Configure the security policy rules
Click the Policies tab, and then select Security from the left menu.
Double-click a security policy, or create a new security policy, to open the Security Policy Rule dialog.
Click the Action tab, and select Log at Session Start and Log at Session End.
In the Log Forwarding list, choose the log forwarding profile you created in step 3.
Fill in the required information in tabs with a red squiggly underline.
Commit the changes to your firewall
In the upper right corner of the page, click Commit.
Select Commit All Changes, and click the Commit button to save.
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Add TCP traffic as an input
In the Filebeat configuration file (/etc/filebeat/filebeat.yml), add TCP to the filebeat.inputs section.
<<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
# ... filebeat.inputs: - type: udp max_message_size: 10MiB host: "0.0.0.0:6514" fields: logzio_codec: plain # Your Logz.io account token. You can find your token at # https://app.logz.io/#/dashboard/settings/manage-accounts token: <<LOG-SHIPPING-TOKEN>> type: paloalto fields_under_root: true encoding: utf-8 ignore_older: 3h
If you’re running Filebeat 7, paste this code block. Otherwise, you can leave it out.
# ... For Filebeat 7 only ... filebeat.registry.path: /var/lib/filebeat processors: - rename: fields: - from: "agent" to: "filebeat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true
If you’re running Filebeat 6, paste this code block.
# ... For Filebeat 6 only ... registry_file: /var/lib/filebeat/registry
Set Logz.io as the output
If Logz.io is not an output, add it now. Remove all other outputs.
<<LISTENER-HOST>> with the host for your region. For example,
listener.logz.io if your account is hosted on AWS US East, or
listener-nl.logz.io if hosted on Azure West Europe.
# ... output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Start or restart Filebeat for the changes to take effect.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana.
If you still don’t see your logs, see log shipping troubleshooting.