Documentation Center
AlienVault® USM Anywhere™

Palo Alto Networks PAN-OS

When you configure Palo Alto Networks PAN-OS to send log data to USM Anywhere, you can use the Palo Alto Networks PAN-OS plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Palo Alto Networks
Device Type Firewall
Connection Type Syslog

Integrating Palo Alto Networks PAN-OS

Before you configure the Palo Alto Networks PAN-OS integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Palo Alto Networks PAN-OS to send log data to USM Anywhere

  1. Create a syslog server profile on the firewall:

    1. Go to Device > Server Profiles > Syslog.

    2. In the Profile Name field, enter a name for the profile (for example, USM Anywhere).

      Click Add, then enter a name for the syslog server (USM Anywhere Sensor), as well as other details:

      • Name of the syslog server — Typically, the name of the USM Anywhere Sensor
      • Syslog server — IP address of the USM Anywhere Sensor
      • TransportUDP, TCP, or SSL
      • Port514 for UDP, 601 for TCP, or 6514 for SSL/TLS
      • Format — BSD (default) or IETF

        Note: In some instances, some users have experienced Palo Alto IETF syslog messages coming through with incomplete fields. If you find that the event descriptions from this plugin aren't being parsed correctly, try changing the format to BSD.

      • Facility — Select the value that maps to how the USM Anywhere Sensor uses the facility field to manage messages.

        For details on the facility field, see RFC 3164 (BSD format).

    3. Click OK.

      To make integration with external log parsing systems easier, the firewall allows you to customize the log format. It also allows you to add custom Key: Value attribute pairs.

      Note: To configure custom formats, go to Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.

  2. Create a log forwarding profile:

    1. Go to Objects > Log forwarding > Add.

    2. Complete the required details:

      • Name: Type a profile name. This name appears in the list of log forwarding profiles when defining security policies.

      • Syslog: Select the syslog server profile to specify additional destinations to which the traffic log entries should be sent.

    3. Click OK.

    Your log forwarding profile should now be created.

  3. Use the log forwarding profile in your security policy.

    1. Go to Policies > Security.

    2. Select the rule for which log forwarding should be applied.

    3. Select the Actions tab, then select your log forwarding profile from the Log Forwarding list, on the right side of the page.
    4. Verify that Log at Session End is selected.

    5. Click OK.

      After clicking OK, notice the forwarding icon in the Options column of your security rule.

    6. Click Commit.

Plugin Enablement

The Palo Alto Networks Pan-OS plugin will automatically process all messages when the raw message contains the following fields








For assistance on Pan-OS syslog integration, please consult vendor documentation.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • audit_reason
  • base_event_count
  • bytes_in
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customfield_6
  • destination_address
  • destination_nat_address
  • destination_port
  • destination_username
  • destination_zone
  • device_direction
  • email_recipient
  • email_sender
  • email_subject
  • event_category
  • event_description
  • event_name
  • event_severity
  • event_subcategory
  • file_hash
  • file_name
  • file_type
  • rep_device_inbound_interface
  • rep_device_outbound_interface
  • rep_device_rule_id
  • request_content_type
  • request_url
  • request_user_agent
  • session
  • source_address
  • source_nat_address
  • source_port
  • source_process_commandline
  • source_username
  • source_zone


For troubleshooting, refer to the vendor documentation: