Forum Discussion
Solved
Palo Alto Global Protect Logs Missing Most information
Hi all, I've integrated Palo Firewall with MS Sentinel. For most log type (Traffic, Threat, System), everything is working fine. But for GlobalProtect log type, it's missing almost all valuable...
- HA13029
Take a look at this;
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/378425
Looks like the GP CEF format needs a dummy field to have the required 7.
Stumbled across the info here;
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Data%20Connectors/readme.md
"Modify the default CEF header format to make sure we always have 7 fields in CEF header as Sentinel log analytics agent can only parse fixed header (7 fields in header) a. > For example, log types “Global Protect” have only 6 fields, and SCTP only have 5 fields in the default configuration. We can introduce dummy fields to make sure we have 7 fields"
Haven't made the change on our side yet, so can't confirm this is the smoking gun, but it looks promising.
Hi,
No chance to get an answer....
What I can say is the traffic is correctly parsed by another log solution (Wazuh).
It would be nice to get parsed correctly by Sentinel too...
Regards,
HA
No chance to get an answer....
What I can say is the traffic is correctly parsed by another log solution (Wazuh).
It would be nice to get parsed correctly by Sentinel too...
Regards,
HA
HA13029
Take a look at this;
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/378425
Looks like the GP CEF format needs a dummy field to have the required 7.
Stumbled across the info here;
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Data%20Connectors/readme.md
"Modify the default CEF header format to make sure we always have 7 fields in CEF header as Sentinel log analytics agent can only parse fixed header (7 fields in header) a. > For example, log types “Global Protect” have only 6 fields, and SCTP only have 5 fields in the default configuration. We can introduce dummy fields to make sure we have 7 fields"
Haven't made the change on our side yet, so can't confirm this is the smoking gun, but it looks promising.
Take a look at this;
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/378425
Looks like the GP CEF format needs a dummy field to have the required 7.
Stumbled across the info here;
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Data%20Connectors/readme.md
"Modify the default CEF header format to make sure we always have 7 fields in CEF header as Sentinel log analytics agent can only parse fixed header (7 fields in header) a. > For example, log types “Global Protect” have only 6 fields, and SCTP only have 5 fields in the default configuration. We can introduce dummy fields to make sure we have 7 fields"
Haven't made the change on our side yet, so can't confirm this is the smoking gun, but it looks promising.
- Hi,
Many thanks for your help !!
I can get the GP logs now !!
As mentioned int the following document, https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/378425, the key is to add the "|1|" in the CEF format !!
Thanks again for your help !!
Regards,
HA
