What is the official custom log format to forward GP logs to LEEF?

What is the official custom log format to forward GP logs to LEEF?

4147
Created On 02/24/22 11:56 AM - Last Modified 02/16/24 22:24 PM


Question


  • GP Logs were introduced in version 9.1.
  • The document shows custom logs for earlier versions which does not include GP logs in it.
  • What is the official custom log format to forward GP logs to LEEF?

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1 and above
  • IBM QRADAR with LEEF event format.
  • GlobalProtect (GP) custom log.

Answer


  1. Log in to Palo Alto Networks Firewall/Panorama.
  2. On the Device tab, click Server Profiles > Syslog, and then click Add.
  3. Create a Syslog destination by following these steps:
    • In the Syslog Server Profile dialog box,
    • Click Add.Specify the name, server IP address, port,
    • Facility of the QRadar system that you want to use as a Syslog server.
  4. If you are using Syslog, set the Custom Format column to Default for all log types.
  5. Configure LEEF events by following these steps:
    • Click the Custom Log Format tab in the Syslog Server Profile dialog.
    • Click GlobalProtect, then copy  texts applicable to the version you are using, and paste it in the GlobalProtect Log Format field for the GlobalProtect log type. If your version is not listed, omit this step.
Format:
===========================================
LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$eventid|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|VirtualSystem=$vsys|msg=$opaque|sequence=$seqno|ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|Stage=$stage|AuthMethod=$auth_method|TunnelType=$tunnel_type|usrName=$srcuser|Srcregion=$srcregion|MachineName=$machinename|src=$public_ip|Src6=$public_ipv6|PrivateIP=$private_ip|PrivateIP6=$private_ipv6|HostID=$hostid|EndpointSerialNumber=$serialnumber|ClientVer=$client_ver|ClientOS=$client_os|ClientOSVer=$client_os_ver|Reason=$reason|Error=$error|Status=$status|Location=$location|LoginDuration=$login_duration|ConnectMethod=$connect_method|ErrorCode=$error_code|Portal=$portal
===========================================

 

Additional Information


IBM Reference guide:
https://www.ibm.com/docs/en/dsm?topic=panps-creating-syslog-destination-your-palo-alto-pa-series-device
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNGMCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail