Configuración de gateways pan-os 7,1 para generar logs en formato decorativas

37736

Created On 09/25/18 17:36 PM - Last Modified 06/13/23 13:53 PM

Resolution

Resumen

Este documento ilustra los pasos para configurar una pasarela de pan-os de Palo Alto Networks que ejecute pan-os 7,1 para reenviar logs a un receptor syslog en formato decorativas. Los esquemas de formato decorativas se proporcionan para los registros de tráfico, amenaza, configuración, sistema y coincidencia de cadera. Los registros de correlación no están cubiertos en este documento.

Pasos de configuración de WebUI

1. Opcional Para configurar el dispositivo para que envíe su dirección IPv4/IPv6 o nombre de host en lugar de FQDN en los registros generados, seleccione dispositivo > configuración > administración > configuración de registro y reporting. En la ficha exportar registro y reporting , haga clic en el menú desplegable formato de hostname de syslog para elegir el método de identificación preferido.

Screen Shot 2016-08-18 en 1.17.34 PM. png

2. Seleccione dispositivo > perfiles de servidor > syslog y especifique un nuevo nombre de perfil del servidor syslog. Proceda a hacer clic en agregar para especificar un nombre de servidor syslog, dirección IP, método de transporte (TCP o UDP), puerto (por ejemplo, 514), formato (BSD o IEEE) y facilidad (p. ej. LOG_LOCAL0).

Screen Shot 2016-08-18 en 1.31.29 PM. png

3. Haga clic en la ficha formato de registro personalizado y seleccione uno de los tipos de registro especificados (config, sistema, amenaza, tráfico y coincidencia de cadera) para definir un formato de registro decorativas para el tipo especificado.

Screen Shot 2016-08-18 en 1.33.08 PM. png

Formato de registro de tráfico decorativas:

DECORATIVAS: 1.0 | Palo Alto Networks | Integración con PAN-OS syslog | $Sender _sw_version | $Action | CAT = $Type | ReceiveTime = $Receive _time | SerialNumber = $serial | Type = $Type | Subtipo = $SubType | devTime = $CEF-formateado-receive_time | src = $src | DST = $DST | srcPostNAT = $natsrc | dstPostNAT = $natdst | NombreRegla = $Rule | usrName = $SrcUser | SourceUser = $SrcUser | UsuarioDeDestino = $dstuser | Application = $App | VirtualSystem = $vsys | SourceZone = $from | DestinationZone = $to | IngressInterface = $Inbound _if | EgressInterface = $Outbound _if | LogForwardingProfile = $Logset | SessionID = $SessionID | RepeatCount = $repeatcnt | srcPort = $Sport | dstPort = $dport | srcPostNATPort = $natsport | dstPostNATPort = $natdport | Flags = $Flags | proto = $proto | Action = $Action | totalBytes = $bytes | dstBytes = $bytes _received | srcBytes = $bytes _sent | totalPackets = $packets | StartTime = $Start | ElapsedTime = $Elapsed | URLCategory = $Category | Sequence = $seqno | ActionFlags = $actionFlags | SourceLocation = $srcloc | DestinationLocation = $dstloc | dstPackets = $pkts _received | srcPackets = $pkts _sent | SessionEndReason = $Session _end_reason | DeviceGroupHierarchyL1 = $DG _hier_level_1 | DeviceGroupHierarchyL2 = $DG _hier_level_2 | DeviceGroupHierarchyL3 = $DG _hier_level_3 | DeviceGroupHierarchyL4 = $DG _hier_level_4 | vSrcName = $vsys _name | DeviceName = $Device _name | ActionSource = $Action _source

Formato de decorativas de registro de amenazas:

DECORATIVAS: 1.0 | Palo Alto Networks | Integración con PAN-OS syslog | $Sender _sw_version | $threatid | ReceiveTime = $Receive _time | SerialNumber = $serial | CAT = $Type | Subtipo = $SubType | devTime = $CEF-formateado-receive_time | src = $src | DST = $DST | srcPostNAT = $natsrc | dstPostNAT = $natdst | NombreRegla = $Rule | usrName = $SrcUser | SourceUser = $SrcUser | UsuarioDeDestino = $dstuser | Application = $App | VirtualSystem = $vsys | SourceZone = $from | DestinationZone = $to | IngressInterface = $Inbound _if | EgressInterface = $Outbound _if | LogForwardingProfile = $Logset | SessionID = $SessionID | RepeatCount = $repeatcnt | srcPort = $Sport | dstPort = $dport | srcPostNATPort = $natsport | dstPostNATPort = $natdport | Flags = $Flags | proto = $proto | Action = $Action | Misceláneo = $Misc | ThreatID = $threatid | URLCategory = $Category | SEV = $Number de severidad | Severity = $Severity | Direction = $Direction | Sequence = $seqno | ActionFlags = $actionFlags | SourceLocation = $srcloc | DestinationLocation = $dstloc | ContentType = $ContentType | PCAP_ID = $pcap _id | FileDigest = $filedigest | Cloud = $Cloud | URLIndex = $URL _idx | UserAgent = $User _agent | Tipo de fichero = $filetype | identsrc = $XFF | Árbitro = $Referer | Sender = $Sender | SubJect = $Subject | Destinatario = $recipient | ReportID = $ReportId | DeviceGroupHierarchyL1 = $DG _hier_level_1 | DeviceGroupHierarchyL2 = $DG _hier_level_2 | DeviceGroupHierarchyL3 = $DG _hier_level_3 | DeviceGroupHierarchyL4 = $DG _hier_level_4 | vSrcName = $vsys _name | DeviceName = $Device _name

Config log decorativas formato:

DECORATIVAS: 1.0 | Palo Alto Networks | Integración con PAN-OS syslog | $Sender _sw_version | $result | ReceiveTime = $Receive _time | SerialNumber = $serial | CAT = $Type | devTime = $CEF-formateado-receive_time | src = $host | VirtualSystem = $vsys | MSG = $cmd | usrName = $admin | Client = $Client | Result = $result | ConfigurationPath = $path | Sequence = $seqno | ActionFlags = $actionFlags | BeforeChangeDetail = $Before-Change-detail | AfterChangeDetail = $After-Change-detail | DeviceGroupHierarchyL1 = $DG _hier_level_1 | DeviceGroupHierarchyL2 = $DG _hier_level_2 | DeviceGroupHierarchyL3 = $DG _hier_level_3 | DeviceGroupHierarchyL4 = $DG _hier_level_4 | vSrcName = $vsys _name | DeviceName = $Device _name

Formato del registro del sistema decorativas:

DECORATIVAS: 1.0 | Palo Alto Networks | Integración con PAN-OS syslog | $Sender _sw_version | $EventID | ReceiveTime = $Receive _time | SerialNumber = $serial | CAT = $Type | subtipo = $SubType | devTime = $CEF-formateado-receive_time | VirtualSystem = $vsys | FILENAME = $Object | Module = $module | SEV = $Number de severidad | Severity = $Severity | MSG = $Opaque | Sequence = $seqno | ActionFlags = $actionFlags | DeviceGroupHierarchyL1 = $DG _hier_level_1 | DeviceGroupHierarchyL2 = $DG _hier_level_2 | DeviceGroupHierarchyL3 = $DG _hier_level_3 | DeviceGroupHierarchyL4 = $DG _hier_level_4 | vSrcName = $vsys _name | DeviceName = $Device _name

Formato de decorativas de log de HIP Match:

DECORATIVAS: 1.0 | Palo Alto Networks | Integración con PAN-OS syslog | $Sender _sw_version | $matchname | ReceiveTime = $Receive _time | SerialNumber = $serial | CAT = $Type | Subtipo = $SubType | devTime = $CEF-formateado-receive_time | usrName = $SrcUser | VirtualSystem = $vsys | identHostName = $MachineName | OS = $os | identsrc = $src | HIP = $matchname | RepeatCount = $repeatcnt | HIPType = $MatchType | Sequence = $seqno | ActionFlags = $actionFlags | DeviceGroupHierarchyL1 = $DG _hier_level_1 | DeviceGroupHierarchyL2 = $DG _hier_level_2 | DeviceGroupHierarchyL3 = $DG _hier_level_3 | DeviceGroupHierarchyL4 = $DG _hier_level_4 | vSrcName = $vsys _name | DeviceName = $Device _name

4. Confirmar la configuración actualizada para que los cambios tengan efecto.