Configuring PAN-OS 7.1 Gateways to Generate Logs in LEEF Format

Summary

This document illustrates the steps for configuring a Palo Alto Networks PAN-OS gateway running PAN-OS 7.1 to forward logs to a syslog receiver in the LEEF format. LEEF format schemas are provided for Traffic, Threat, Config, System, and HIP Match Logs. Correlation logs are not covered in this document.

WebUI Configuration Steps

1. (Optional) To configure the device to send its IPv4/IPv6 address or hostname instead of FQDN in the generated logs, select Device > Setup > Management > Logging and Reporting Settings. In the Log Export and Reporting tab, click on the Syslog HOSTNAME Format dropdown to pick the preferred identification method.

 2. Select Device > Server Profiles > Syslog and specify a new Syslog Server profile name. Proceed to click on Add to specify a Syslog server name, IP address, transport method (TCP or UDP), port (e.g. 514), format (BSD or IEEE), and facility (e.g. LOG_LOCAL0).

 3. Click on the Custom Log Format tab and pick one of the specified log types (Config, System, Threat, Traffic, and HIP Match) to define a LEEF log format for the given type.

Traffic log LEEF format:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action|cat=$type|ReceiveTime=$receive_time|SerialNumber=$serial|Type=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|totalBytes=$bytes|dstBytes=$bytes_received|srcBytes=$bytes_sent|totalPackets=$packets|StartTime=$start|ElapsedTime=$elapsed|URLCategory=$category|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc|dstPackets=$pkts_received|srcPackets=$pkts_sent|SessionEndReason=$session_end_reason|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|ActionSource=$action_source

Threat log LEEF format:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|Cloud=$cloud|URLIndex=$url_idx|UserAgent=$user_agent|FileType=$filetype|identsrc=$xff|Referer=$referer|Sender=$sender|Subject=$subject|Recipient=$recipient|ReportID=$reportid|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

Config log LEEF format:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$result|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|src=$host|VirtualSystem=$vsys| msg=$cmd|usrName=$admin|client=$client|Result=$result| ConfigurationPath=$path|sequence=$seqno|ActionFlags=$actionflags| BeforeChangeDetail=$before-change-detail|AfterChangeDetail=$after-change-detail|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

 System log LEEF format:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$eventid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|subtype=$subtype|devTime=$cef-formatted-receive_time|VirtualSystem=$vsys|Filename=$object| Module=$module|sev=$number-of-severity|Severity=$severity|msg=$opaque| sequence=$seqno|ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

 HIP Match log LEEF format:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$matchname|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|usrName=$srcuser|VirtualSystem=$vsys|identHostName=$machinename|OS=$os|identsrc=$src|HIP=$matchname|RepeatCount=$repeatcnt|HIPType=$matchtype|sequence=$seqno|ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name

4. Commit your updated configuration for the changes to take effect.