#SIEMonster paloalto integration
PAN NGFW - Device - Syslog Create 2 profiles, 1 for traffic, one for threats (URLs).
Set the IP of the Syslog Server (external IP of Proteus). Set the port and protocol, in this example 3526 TCP. Use the LOG-LOCAL0 facility for traffic and LOG-LOCAL1 for threats.
Go to the Objects tab, then Log Forwarding. Create a new profile, turn on syslogs for Traffic (the any severity) and for Threats (the information setting).
On the Policies tab add the log forwarding profile to the desired policy.
Add a custom policy to the URL Syslog, using the fields shown in Threat item.
On the Syslog Server (Proteus), configure appropriate source, destinations, and filters. Edit /etc/syslog-ng/syslog-ng.conf and incorporate the following changes.
source s_netsyslog {
tcp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(3526));
udp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(1514));
};
destination d_netsyslog { file("/var/log/traffic.log" owner("logstash") group("root") perm(0644)); };
destination d_urlsyslog { file("/var/log/urllogs.log" owner("logstash") group("root") perm(0644)); };
filter f_traffic { facility(local0); };
filter f_threat { facility(local1); };
log { source(s_netsyslog); filter(f_traffic); destination(d_netsyslog); };
log { source(s_netsyslog); filter(f_threat); destination(d_urlsyslog); };
Prepare the Elasticsearch mapping:
curl -XPUT localhost:9200/_template/pan-traffic -d@pan-traffic-mappings.json
curl -XPUT localhost:9200/_template/pan-url -d@pan-url-mappings.json
Logstash inputs can be configured as follows:
input {
file {
path => ["/var/log/traffic.log"]
type => "traffic"
tags => ["paloalto"]
}
file {
path => ["/var/log/urllogs.log"]
type => "url"
tags => ["paloalto"]
}
}
The logstash filter 25-paloalto-filter.conf can be downloaded from this repository and copied to /etc/logstash/conf.d/ on Proteus.
Logstash outputs can be configured as follows.
output {
if [type] == "traffic" {
elasticsearch {
hosts => ["localhost:9200"]
index => "pan-traffic-%{+YYYY.MM.dd}"
}
}
else if [type] == "url" {
elasticsearch {
hosts => ["localhost:9200"]
index => "pan-url-%{+YYYY.MM.dd}"
}
}
Register each index in Kibana, pan-traffic-* & pan-url-*