Overview
This topic describes the steps to configure syslog on the PaloAlto Cortex Data Lake instance.
Prerequisites
Need to have Administrator login credentials.
Configuration syslog in PaloAlto Cortex Data Lake
1. Login to your https://apps.paloaltonetworks.com/.
2. Select the Cortex Data Lake instance that you want to configure for syslog forwarding.
3. Select Log Forwarding > Add to add a new Syslog forwarding profile.
Hostname: Unique Name
IP Address: Forwarder IP Address
Port: 21673
Facility: Choose appropriate Facility
4. Click Next.
5. Now, Specify the Format in which you would like to forward your logs.
FORMAT: JSON
DELIMITER: Specify the Delimiter for JSON.
FILTERS: Click Add to add a new log filter
5. Select the Log type from the drop down.
- Threat
- Traffic
- Authentication
- Configuration
6. Click Save.
Enable TLS for syslog configurations:
You can enable TLS for the Syslog connection to the Google Security Operations forwarder. In the Google Security Operations forwarder configuration file (FORWARDER_NAME.conf), specify the location of your own generated certificate and certificate key as shown in the following example:
certificate "/opt/chronicle/external/certs/client_generated_cert.pem"
certificate_key "/opt/chronicle/external/certs/client_generated_cert.key"
Based on the example shown, modify the Google Security Operations forwarder configuration file (FORWARDER_NAME.conf) as follows:
- syslog:
common:
enabled: true
data_type: PAN_CORTEX_XDR_EVENTS
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:21673
connection_timeout_sec: 60
certificate: "/opt/chronicle/external/certs/client_generated_cert.pem"
certificate_key: "/opt/chronicle/external/certs/client_generated_cert.key"
minimum_tls_version: "TLSv1_3"
Points to note
- You can configure the TCP buffer size. The default TCP buffer size is 64 KB.
- The default and recommended value for connection_timeout is 60 seconds. The TCP connection gets terminated if the connection is inactive for a specified time.
- The minimum TLS version is checked against the TLS version of the input request. The TLS version of the input request should be greater than the minimum TLS version. The minimum TLS version should be one of the following values: TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3.
You can create a certs directory under the configuration directory and store the certificate files there.
Note:. TLS must use TCP for transport, so UDP cannot be configured.
Comments
0 comments
Please sign in to leave a comment.