/paloalto

SIEMonster paloalto integration

paloalto

#SIEMonster paloalto integration

Based on PAN OS 7.1.0

PAN NGFW - Device - Syslog Create 2 profiles, 1 for traffic, one for threats (URLs).

pa-device

Set the IP of the Syslog Server (external IP of Proteus). Set the port and protocol, in this example 3526 TCP. Use the LOG-LOCAL0 facility for traffic and LOG-LOCAL1 for threats.

pa-log0

pa-log1

Go to the Objects tab, then Log Forwarding. Create a new profile, turn on syslogs for Traffic (the any severity) and for Threats (the information setting).

pa-objects

On the Policies tab add the log forwarding profile to the desired policy.

pa-policy

Add a custom policy to the URL Syslog, using the fields shown in Threat item.

pa-custom

On the Syslog Server (Proteus), configure appropriate source, destinations, and filters. Edit /etc/syslog-ng/syslog-ng.conf and incorporate the following changes.

source s_netsyslog {
       tcp(ip(0.0.0.0) port(514));
       tcp(ip(0.0.0.0) port(3526));
       udp(ip(0.0.0.0) port(514));
       udp(ip(0.0.0.0) port(1514));
};

destination d_netsyslog { file("/var/log/traffic.log" owner("logstash") group("root") perm(0644)); };
destination d_urlsyslog { file("/var/log/urllogs.log" owner("logstash") group("root") perm(0644)); };

filter f_traffic { facility(local0); };
filter f_threat { facility(local1); };

log { source(s_netsyslog); filter(f_traffic); destination(d_netsyslog); };
log { source(s_netsyslog); filter(f_threat); destination(d_urlsyslog); };

Prepare the Elasticsearch mapping:

curl -XPUT localhost:9200/_template/pan-traffic -d@pan-traffic-mappings.json
curl -XPUT localhost:9200/_template/pan-url -d@pan-url-mappings.json

Logstash inputs can be configured as follows:

input {
file {
        path => ["/var/log/traffic.log"]
        type => "traffic"
        tags => ["paloalto"]
        }
 file {
        path => ["/var/log/urllogs.log"]
        type => "url"
        tags => ["paloalto"]
        }
}

The logstash filter 25-paloalto-filter.conf can be downloaded from this repository and copied to /etc/logstash/conf.d/ on Proteus.

Logstash outputs can be configured as follows.

output {
if [type] == "traffic" {
     elasticsearch {
         hosts => ["localhost:9200"]
         index => "pan-traffic-%{+YYYY.MM.dd}"
          }
    }
else if [type] == "url" {
    elasticsearch {
         hosts => ["localhost:9200"]
         index => "pan-url-%{+YYYY.MM.dd}"

          }
       }

Register each index in Kibana, pan-traffic-* & pan-url-*

pa-index