Security

I have my Palo Alto firewall sending threat logs to ClearPass, but they aren't being recognized by the ingress dictionaries. I've tried the ones posted here, but they did not help.

I figured this out, you need a custom log format set in PAN-OS.

action="$action",actionflags="$actionflags",app="$app",category="$category",cef-formatted-receive_time="$cef-formatted-receive_time",cef-formatted-time_generated="$cef-formatted-time_generated",contenttype="$contenttype",direction="$direction",dport="$dport",dst="$dst",dstloc="$dstloc",dstuser="$dstuser",flags="$flags",from="$from",inbound_if="$inbound_if",logset="$logset",misc="$misc",natdport="$natdport",natdst="$natdst",natsport="$natsport",natsrc="$natsrc",number-of-severity="$number-of-severity",outbound_if="$outbound_if",proto="$proto",receive_time="$receive_time",repeatcnt="$repeatcnt",rule="$rule",seqno="$seqno",serial="$serial",sessionid="$sessionid",severity="$severity",sport="$sport",src="$src",srcloc="$srcloc",srcuser="$srcuser",subtype="$subtype",threatid="$threatid",time_generated="$time_generated",time_received="$time_received",to="$to",type="$type",vsys="$vsys"

Hi,

Im trying to do the integration with Palo Alto as well using the IEE Threat. I followed your syslog format in Palo Alto. However, CPPM v.6.9.11 still cannot parse the logs. I tried everything already from the Integration guide up to the discussion forums. Is somebody at this point perfected it?

action="$action",actionflags="$actionflags",app="$app",category="$category",cef-formatted-receive_time="$cef-formatted-receive_time",cef-formatted-time_generated="$cef-formatted-time_generated",contenttype="$contenttype",direction="$direction",dport="$dport",dst="$dst",dstloc="$dstloc",dstuser="$dstuser",flags="$flags",from="$from",inbound_if="$inbound_if",logset="$logset",misc="$misc",natdport="$natdport",natdst="$natdst",natsport="$natsport",natsrc="$natsrc",number-of-severity="$number-of-severity",outbound_if="$outbound_if",proto="$proto",receive_time="$receive_time",repeatcnt="$repeatcnt",rule="$rule",seqno="$seqno",serial="$serial",sessionid="$sessionid",severity="$severity",sport="$sport",src="$src",srcloc="$srcloc",srcuser="$srcuser",subtype="$subtype",threatid="$threatid",time_generated="$time_generated",time_received="$time_received",to="$to",type="$type",vsys="$vsys"