Code Monkey home page Code Monkey logo

paloalto's Introduction

paloalto

#SIEMonster paloalto integration

Based on PAN OS 7.1.0

PAN NGFW - Device - Syslog Create 2 profiles, 1 for traffic, one for threats (URLs).

pa-device

Set the IP of the Syslog Server (external IP of Proteus). Set the port and protocol, in this example 3526 TCP. Use the LOG-LOCAL0 facility for traffic and LOG-LOCAL1 for threats.

pa-log0

pa-log1

Go to the Objects tab, then Log Forwarding. Create a new profile, turn on syslogs for Traffic (the any severity) and for Threats (the information setting).

pa-objects

On the Policies tab add the log forwarding profile to the desired policy.

pa-policy

Add a custom policy to the URL Syslog, using the fields shown in Threat item.

pa-custom

On the Syslog Server (Proteus), configure appropriate source, destinations, and filters. Edit /etc/syslog-ng/syslog-ng.conf and incorporate the following changes.

source s_netsyslog {
       tcp(ip(0.0.0.0) port(514));
       tcp(ip(0.0.0.0) port(3526));
       udp(ip(0.0.0.0) port(514));
       udp(ip(0.0.0.0) port(1514));
};

destination d_netsyslog { file("/var/log/traffic.log" owner("logstash") group("root") perm(0644)); };
destination d_urlsyslog { file("/var/log/urllogs.log" owner("logstash") group("root") perm(0644)); };

filter f_traffic { facility(local0); };
filter f_threat { facility(local1); };

log { source(s_netsyslog); filter(f_traffic); destination(d_netsyslog); };
log { source(s_netsyslog); filter(f_threat); destination(d_urlsyslog); };

Prepare the Elasticsearch mapping:

curl -XPUT localhost:9200/_template/pan-traffic [email protected]
curl -XPUT localhost:9200/_template/pan-url [email protected]

Logstash inputs can be configured as follows:

input {
file {
        path => ["/var/log/traffic.log"]
        type => "traffic"
        tags => ["paloalto"]
        }
 file {
        path => ["/var/log/urllogs.log"]
        type => "url"
        tags => ["paloalto"]
        }
}

The logstash filter 25-paloalto-filter.conf can be downloaded from this repository and copied to /etc/logstash/conf.d/ on Proteus.

Logstash outputs can be configured as follows.

output {
if [type] == "traffic" {
     elasticsearch {
         hosts => ["localhost:9200"]
         index => "pan-traffic-%{+YYYY.MM.dd}"
          }
    }
else if [type] == "url" {
    elasticsearch {
         hosts => ["localhost:9200"]
         index => "pan-url-%{+YYYY.MM.dd}"

          }
       }

Register each index in Kibana, pan-traffic-* & pan-url-*

pa-index

paloalto's People

Contributors

siemonster avatar

Watchers

Raghav Palekar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.