Configuring Palo Alto Cortex XDR to forward events
To configure log forwarding to syslog follow these steps:
Step 1: Create a server syslog profile
- Under the Device tab, navigate to Server Profiles > Syslog
- Click Add to configure the log destination on the Palo Alto Network. You will need to enter the:
- Name for the syslog server(Case sensitive)
- Syslog server IP address which is Forwarder IP.
- Port number (change the destination port to the port on which logs will be forwarded; it is UDP 11516 by default)
- Format (keep the default log format, BSD)
- The facility of the chronicle system that you want to use as a Syslog server Local6.
Step 2: Create a log forwarding profile.
- Go to Objects > Log forwarding. Click Add.
- Name: Enter a profile name (up to 31 characters).
- Syslog: Select the syslog server profile to specify additional destinations where the traffic log entries are sent.
- Click 'OK' to confirm your configuration.
- Your Log Forwarding Profile is now created, as shown in the following example:
Step 3. Use the log forwarding profile in your security policy
- Go to Policies > Security
- Select the rule for which the log forwarding needs to be applied (Any Allow) in the following example:
- Next, go to the Actions tab, select Log Forwarding Profile from the dropdown, and click OK.
- After clicking OK, you will notice the forwarding icon in the 'Options' column of your security rule:
Step 4. Commit Changes after Configurations.
- Repeat the process for each device which needs to be onboarded to chronicle.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
The following are the logs that PaloAlto sends to the Chronicle.
<14>Jul 6 16:00:20 contoso.net 1,2023/07/06 16:00:19,007051000142122,TRAFFIC,
Box and Shodan,,,google-base,vsys1,Trust,Untrust,ethernet1/4.1,ethernet1/7,