Documentation Center
AlienVault® USM Anywhere™

Collecting Logs from Palo Alto Networks

  Role Availability   Read-Only   Analyst   Manager

To fully integrate USM Anywhere with your Palo Alto Networks firewall, you should configure log collection so that USM Anywhere can retrieve and normalizeNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. raw log data from the firewall. The combination of the Palo Alto Networks PAN-OS plugin and configuration of the AlienApp for Palo Alto Networks provides a full scope of data and analysis within USM Anywhere.

USM Anywhere includes the Palo Alto PAN-OS pluginPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities., which provides data normalization and analysis for Palo Alto Networks PAN-OS log data. You must first configure the firewall to send log data to a USM Anywhere Sensor through the syslogAn industry standard message logging system that is used on many devices and platforms. server. When this configuration is in place, USM Anywhere enables the plugin for the device automatically because of hints — unique information within the syslog message that identifies the data source sending the logs.

Before you configure the Palo Alto Networks PAN-OS integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Palo Alto Networks PAN-OS to send log data to USM Anywhere

  1. Create a syslog server profile on the firewall:

    1. Go to Device > Server Profiles > Syslog.

    2. In the Profile Name field, enter a name for the profile (for example, USM Anywhere).

      Click Add, then enter a name for the syslog server (USM Anywhere Sensor), as well as other details:

      • Name of the syslog server: Typically, the name of the USM Anywhere Sensor
      • Syslog server: IP address of the USM Anywhere Sensor
      • Transport: UDP, TCP, or SSL
      • Port: 514 for UDP, 601 for TCP, or 6514 for SSL/TLS
      • Format: BSD (default) or IETF

        Note: In some instances, users have found that the Palo Alto Syslog messages aren't being properly parsed by the system. If you find that event descriptions coming from this plugin aren't being parsed correctly, try changing the format to IETF.

      • Facility: Select the value that maps to how the USM Anywhere Sensor uses the facility field to manage messages.

        For details on the facility field, see RFC 3164 (BSD format).

    3. Click OK.

      To make integration with external log parsing systems easier, the firewall allows you to customize the log format. It also allows you to add custom Key: Value attribute pairs.

      Note: To configure custom formats, go to Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.

  2. Create a log forwarding profile:

    1. Go to Objects > Log forwarding > Add.

    2. Complete the required details:

      • Name: Type a profile name. This name appears in the list of log forwarding profiles when defining security policies.

      • Syslog: Select the syslog server profile to specify additional destinations to which the traffic log entries should be sent.

    3. Click OK.

    Your log forwarding profile should now be created.

  3. Use the log forwarding profile in your security policy.

    1. Go to Policies > Security.

    2. Select the rule for which log forwarding should be applied.

    3. Select the Actions tab, then select your log forwarding profile from the Log Forwarding list, on the right side of the page.
    4. Verify that Log at Session End is selected.

    5. Click OK.

      After clicking OK, notice the forwarding icon in the Options column of your security rule.

    6. Click Commit.