Palo Alto Networks Knowledgebase: How does the Log Link Feature Work?

How does the Log Link Feature Work?

3963
Created On 02/07/19 23:53 PM - Last Updated 02/07/19 23:54 PM
Policy
Resolution

The Log Link feature provides links from log data to external systems (for example, trouble-ticketing, PCAP collections systems, security scanning, and so on). The links show up at the bottom of the log detail page in the log viewer, and they open the constructed URL in a new browser window.

 

Information of the log available for use in constructing the link URL:

  • src - source IP address
  • dst - destination IP address
  • sport - source port
  • dport - destination port
  • proto - protocol
  • recvtime_YYYY - year of receive time
  • recvtime_MM - month of receive time
  • recvtime_DD - day of receive time
  • recvtime_hh - hour of receive time
  • recvtime_mm - minute of receive time
  • recvtime_ss - second of receive time
  • elapsed - elapse time (session time in seconds. available for traffic log only, "" otherwise)
  • direction - client-to-server or server-to-client (available for threat, data filtering and URL log only, "" otherwise)
  • suser - source user
  • duser - destination user
  • szone - source zone
  • dzone - destination zone
  • ingress - ingress interface
  • egress - egress interface

 

To enable the log link feature, use the following CLI commands:

# set deviceconfig system log-link VirusTotal.Src url https://www.virustotal.com/en/ip-address/{src}/information

# set deviceconfig system log-link VirusTotal.Dst url https://www.virustotal.com/en/ip-address/{dst}/information

Example URL: https://www.virustotal.com/en/ip-address/91.220.163.35/information/

 

Running the above commands using the example URL creates 2 log-links to VirusTotal in the Log Details window (one for the source IP and one for the destination IP):

log-links-vt.png

Multiple links can be set and all show up at the bottom of the log detail window.

 

Note: The log link configuration is not synchronized between device pairs in a High Availability (HA) environment. Therefore, log link configuration must be manually performed on both Active and Passive boxes.

 

owner: mjacobsen


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGmCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language