Palo Alto syslogs not coming in #14261
-
|
I am currently running version 2.4.111 in standalone mode. For the life of me, I can't get security onion to see my Palo Alto, I have syslog ports set on both devices with the default ports. I have tried udp and tcp connections. Also tried the integration, but can't seem to get that to work either. I set all syslog forwarding and policies set in my Palo Alto to go to security onion. But nothing. I have tried googling for the pass 3 days. I can't find anything I could help. I'm hoping this community can help me in the right direction. I'm sure its something simple that I am missing. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
Did you allow the syslog traffic through Security Onion's firewall? |
Beta Was this translation helpful? Give feedback.
-
|
Sorry for just seeing this. I did allow it in. And just got it working. Not sure what was going on before. I did a fresh install and finally got it working today. When looking at the syslogs, it's not showing the source and denotation IPS from the logs. So i'm not sure any alerts will go off or if there is something additional I have to add to something. I am new to Security Onion. |
Beta Was this translation helpful? Give feedback.
-
|
If you're just sending standard syslog, then it may not be parsed correctly. If you use the Palo Alto integration, then it should be parsed more correctly. For more information, please see: |
Beta Was this translation helpful? Give feedback.
-
|
I did try this link: https://www.elastic.co/guide/en/integrations/current/panw.html. And when I set the custom log syslog. Seems like nothing changes in security onion when it phrases it. |
Beta Was this translation helpful? Give feedback.
-
|
I was able to resolve the issue. I found a very helpful video from your team that wasn't included in the two links you provided. Although the video was for pfSense, I was able to use the SO portion to fill in the gaps. Here is the YouTube Video https://www.youtube.com/watch?v=aoH8qZwAxek |
Beta Was this translation helpful? Give feedback.
-
|
I'm glad you were able to resolve the issue. https://docs.securityonion.net/en/2.4/third-party-integrations.html#adding-an-integration does include the following statement:
I'll add the following to that statement to help others find it:
|
Beta Was this translation helpful? Give feedback.
I was able to resolve the issue. I found a very helpful video from your team that wasn't included in the two links you provided. Although the video was for pfSense, I was able to use the SO portion to fill in the gaps. Here is the YouTube Video https://www.youtube.com/watch?v=aoH8qZwAxek