配置 PAN OS 7.1 网关以叶格式生成日志

37748

Created On 09/25/18 17:36 PM - Last Modified 06/13/23 13:53 PM

Resolution

摘要

本文档说明了如何配置帕洛阿尔托网络运行 pan os 7.1 的 pan os 网关以叶格式将日志转发到系统日志接收器的步骤。叶格式架构是为通信、威胁、配置、系统和髋关节匹配日志提供的。相关日志不包括在此文档中。

WebUI 配置步骤

1。选要将设备配置为在生成的日志中发送其 IPv4/IPv6 地址或主机名而不是 FQDN, 请选择 "设备 >> 安装程序 > 管理 > 日志记录和报告设置". 在 "日志导出和报告" 选项卡中, 单击日志主机名格式下拉列表以选择首选的标识方法.

屏幕截图2016-08-18 在 1.17.34 PM. png

2。选择设备 > 服务器配置文件 > 系统日志并指定新的日志服务器配置文件名称. 继续单击 "添加"以指定一个 Syslog 服务器名称、IP 地址、传输方法 (TCP 或 UDP)、端口 (例如 514)、格式 (BSD 或 IEEE) 和设备 (例如 , LOG_LOCAL0)。

屏幕截图2016-08-18 在 1.31.29 PM. png

3。单击 "自定义日志格式" 选项卡, 然后选择指定的日志类型 (配置、系统、威胁、通信和臀部匹配) 中的一个, 以定义给定类型的叶日志格式.

屏幕截图2016-08-18 在 1.33.08 PM. png

通信日志叶格式:

叶: 1.0 |帕洛阿尔托网络 |泛 OS 系统日志集成 | $sender _sw_version | $action | cat = $type |ReceiveTime = $receive _time |序列号 = $serial |类型 = $type |子类型 = $subtype | devTime = $cef 格式化-receive_time | src = $src dst = $dst srcPostNAT = $natsrc | dstPostNAT = $natdst |RuleName = $rule | usrName = $srcuser |SourceUser = $srcuser |DestinationUser = $dstuser |应用 = $app |VirtualSystem = $vsys |SourceZone = $from |DestinationZone = $to |IngressInterface = $inbound _if |EgressInterface = $outbound _if |LogForwardingProfile = $logset |SessionID = $sessionid |RepeatCount = $repeatcnt | srcPort = $sport dstPort = $dport | srcPostNATPort = $natsport | dstPostNATPort = $natdport |标志 = $flags | 原始 = $proto | 操作 = $action | totalBytes = $bytes | dstBytes = $bytes _received | srcBytes = $bytes _sent | totalPackets = $packets |开始时间 = $start |ElapsedTime = $elapsed |URLCategory = $category | 序列 = $seqno |ActionFlags = $actionflags |SourceLocation = $srcloc |DestinationLocation = $dstloc | dstPackets = $pkts _received | srcPackets = $pkts _sent |SessionEndReason = $session _end_reason |DeviceGroupHierarchyL1= $dg _ hier_level_1|DeviceGroupHierarchyL2= $dg _ hier_level_2|DeviceGroupHierarchyL3= $dg _ hier_level_3|DeviceGroupHierarchyL4= $dg _ hier_level_4|vSrcName= $vsys _name |设备名称 = $device _name |ActionSource = $action _source

威胁日志叶格式:

叶: 1.0 |帕洛阿尔托网络 |泛 OS 系统日志集成 | $sender _sw_version | $threatid |ReceiveTime = $receive _time |序列号 = $serial | 猫 = $type |子类型 = $subtype | devTime = $cef 格式化-receive_time | src = $src dst = $dst srcPostNAT = $natsrc | dstPostNAT = $natdst |RuleName = $rule | usrName = $srcuser |SourceUser = $srcuser |DestinationUser = $dstuser |应用 = $app |VirtualSystem = $vsys |SourceZone = $from |DestinationZone = $to |IngressInterface = $inbound _if |EgressInterface = $outbound _if |LogForwardingProfile = $logset |SessionID = $sessionid |RepeatCount = $repeatcnt | srcPort = $sport dstPort = $dport | srcPostNATPort = $natsport | dstPostNATPort = $natdport |标志 = $flags | 原始 = $proto | 动作 = $action |杂项 = $misc |ThreatID = $threatid |URLCategory = $category | 严重性 = $number 严重性 |严重性 = $severity |方向 = $direction | 序列 = $seqno |ActionFlags = $actionflags |SourceLocation = $srcloc |DestinationLocation = $dstloc |ContentType = $contenttype |PCAP_ID = $pcap _id |FileDigest = $filedigest |云 = $cloud |URLIndex = $url _idx |UserAgent = $user _agent |类型 = $filetype | identsrc = $xff |Referer = $referer |发件人 = $sender |主题 = $subject |收件人 = $recipient |ReportID = $reportid |DeviceGroupHierarchyL1= $dg _ hier_level_1|DeviceGroupHierarchyL2= $dg _ hier_level_2|DeviceGroupHierarchyL3= $dg _ hier_level_3|DeviceGroupHierarchyL4= $dg _ hier_level_4|vSrcName= $vsys _name |设备名称 = $device _name

配置日志叶格式:

叶: 1.0 |帕洛阿尔托网络 |泛 OS 系统日志集成 | $sender _sw_version | $result |ReceiveTime = $receive _time |序列号 = $serial | cat = $type | devTime = $cef 格式 receive_time | src = $host |VirtualSystem = $vsys |味精 = $cmd | usrName = $admin | 客户 = $client |结果 = $result |ConfigurationPath = $path | 序列 = $seqno |ActionFlags = $actionflags |BeforeChangeDetail = $before-详细信息 |AfterChangeDetail = $after-详细信息 |DeviceGroupHierarchyL1= $dg _ hier_level_1|DeviceGroupHierarchyL2= $dg _ hier_level_2|DeviceGroupHierarchyL3= $dg _ hier_level_3|DeviceGroupHierarchyL4= $dg _ hier_level_4|vSrcName= $vsys _name |设备名称 = $device _name

系统日志叶格式:

叶: 1.0 |帕洛阿尔托网络 |泛 OS 系统日志集成 | $sender _sw_version | $eventid |ReceiveTime = $receive _time |序列号 = $serial | cat = $type | 子类型 = $subtype | devTime = $cef 格式 receive_time |VirtualSystem = $vsys |文件名 = $object |模块 = $module | 严重性 = 严重性 $number |严重性 = $severity | 味精 = $opaque |序列 = $seqno |ActionFlags = $actionflags |DeviceGroupHierarchyL1= $dg _ hier_level_1|DeviceGroupHierarchyL2= $dg _ hier_level_2|DeviceGroupHierarchyL3= $dg _ hier_level_3|DeviceGroupHierarchyL4= $dg _ hier_level_4|vSrcName= $vsys _name |设备名称 = $device _name

髋关节匹配日志叶格式:

叶: 1.0 |帕洛阿尔托网络 |泛 OS 系统日志集成 | $sender _sw_version | $matchname |ReceiveTime = $receive _time |序列号 = $serial | 猫 = $type |子类型 = $subtype | devTime = $cef 格式化-receive_time | usrName = $srcuser |VirtualSystem = $vsys | identHostName = $machinename |OS = $os | identsrc = $src |臀部 = $matchname |RepeatCount = $repeatcnt |HIPType = $matchtype | 序列 = $seqno |ActionFlags = $actionflags |DeviceGroupHierarchyL1= $dg _ hier_level_1|DeviceGroupHierarchyL2= $dg _ hier_level_2|DeviceGroupHierarchyL3= $dg _ hier_level_3|DeviceGroupHierarchyL4= $dg _ hier_level_4|vSrcName= $vsys _name |设备名称 = $device _name

4。提交更新的配置以使更改生效.