AlienVault® USM Anywhere™

Collecting Logs from Palo Alto Networks

Role Availability Read-Only Analyst   Manager

To fully integrate USM Anywhere with your Palo Alto Networks firewall, you should configure log collection so that USM Anywhere can retrieve and normalizeNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from the firewall. The combination of the Palo Alto Networks PAN-OS plugin and configuration of the AlienApp for Palo Alto Networks provides a full scope of data and analysis within USM Anywhere.

USM Anywhere includes the Palo Alto PAN-OS pluginPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities., which provides data normalization and analysis for Palo Alto Networks PAN-OS log data. You must first configure the firewall to send log data to a USM Anywhere Sensor through the syslogAn industry standard message logging system that is used on many devices and platforms. server. When this configuration is in place, USM Anywhere enables the plugin for the device automatically because of hints — unique information within the syslog message that identifies the data source sending the logs.

Before you configure the Palo Alto Networks PAN-OS integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Palo Alto Networks PAN-OS to send log data to USM Anywhere

  1. Add a syslog server profile. See the PAN-OS Administrator's Guide on Configure Syslog Monitoring for instructions.

    • For Syslog Server, enter the IP address of the USM Anywhere Sensor.
    • Select the Transport protocol you want to use. USM Anywhere supports UDP, TCP, and TLS.
    • The Port number depends on the transport protocol you choose. Use 514 for UDP, 601 for TCP, or 6514 for TLS.
  2. Configure syslog forwarding on PAN-OS. See the PAN-OS Administrator's Guide on Configure Log Forwarding for instructions.

Note: The syslog messages from Palo Alto Networks Pan-OS do not include the time zone setting on the device, so the plugin assumes all time occurs in Coordinated Universal Time (UTC), which is used by most devices. If your Palo Alto Network device is using a different time zone than UTC, the time information in the eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. will appear wrong. To correct this, configure your Palo Alto Network device to use UTC instead. See PAN-OS Web Interface Reference on Device Management for instructions.