Oct 24 2019 04:09 PM - edited Oct 24 2019 04:18 PM
Hello, hoping someone can help me with what appears to be incorrect Regex syntax in a configuration file.
I'm trying to connect our Palo Alto logs to Sentinel and i've followed all of the instructions here:
I am receiving syslogs thought rsyslog, the OMS Agent is also receiving logs, however the OMS agent log file shows this:
Oct 28 2019 12:04 PM
Nov 13 2019 01:48 PM - edited Nov 13 2019 01:49 PM
The CEF format we support follows this format:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Its import to use the right template from the Palo Alto PDF listed in the Palo Alto Connector page
here is an example Palo Alto version 8.0
Nov 14 2019 08:13 AM
@Roger_Fleming I'm using the CEF format from the PDF, and I've fixed the issues with copying and pasting into a text editor, but I'm only getting maybe 10% of the log into Sentinel, almost none of the pertinent key value pairs make it. Looking at the rsyslog server, they are hitting that box with maybe one line and almost nothing else. Can't figure out what step might have been missed but it seemed all pretty straight forward in the documentation.
Nov 14 2019 08:30 AM
Make sure you ae using the correct version of the product. If you could run the following command it will provide the data being received by the syslog and the omsagent
tcpdump -A -ni any port 514 -vvv -s 0
should look like this in return
TCEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|tcp-high-ports|Unknown|act=Drop deviceDirection=0 rt=1573748935000 spt=46783 dpt=42627 cs2Label=Rule Name layer_name=Network layer_uuid=edf46e83-f10b-4fbc-93e9-fab40887b8d1 match_id=3 parent_rule=0 rule_action=Drop rule_uid=3f994325-9c52-4b18-ba44-307ad4929fb2 ifname=eth0 logid=0 loguid={0x5dcd80c9,0x1,0x501a8c0,0x1737aca9} origin=192.168.1.5 originsicname=cn\=cp_mgmt,o\=FlemingGW..y76ath sequencenum=2 version=5 dst=192.168.1.5 inzone=External outzone=Local product=VPN-1 & FireWall-1 proto=6 service_id=tcp-high-ports src=89.248.168.222
Then run
tcpdump -A -ni any port 25226 -vvv -s 0
should look the same