PanOS

Prerequisites

The PAN-OS sources must be configured properly in order for these rules to work.

Configure the device to include its IP address in the header of Syslog messages

1. Select Panorama/Device > Setup > Management
2. Click the Edit icon in the Logging and Reporting Settings section and navigate to the Log Export and Reporting tab.
3. In the Syslog HOSTNAME Format drop-down select ipv4-address, then click OK.
4. Select Server Profiles > Syslog click Add
5. Enter a server profile Name and Location (location refers to a virtual system, if the device is enabled for virtual systems).
6. In the Servers tab, click Add and enter a Name, IP address (Syslog Server field), Transport, Port (default 514 for UDP), and Facility (default LOG_USER) for the Syslog server.

7. Select the Custom Log Format tab and select Threat, then paste the following values in the Custom Log Format area:

   PaloAlto_Threat type="$type" src="$src" dst="$dst" rule="$rule" srcuser="$srcuser" sessionid="$sessionid" action="$action" misc="$misc" dstloc="$dstloc" referer="$referer" http_method="$http_method" http_headers="$http_headers"
   

8. Select the Custom Log Format tab and select Traffic, then paste the following values in the Custom Log Format area:

   PaloAlto_Traffic type="$type" src="$src" dst="$dst" natsrc="$natsrc" natdst="$natdst" rule="$rule" srcuser="$srcuser" from="$from" to="$to" sessionid="$sessionid" sport="$sport" dport="$dport" natsport="$natsport" natdport="$natdport" proto="$proto" action="$action" bytes="$bytes" packets="$packets" dstloc="$dstloc" action_source="$action_source"
   

9. Save and commit your changes.