Palo Alto Networks TCP (PAN-OS v11+) Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Palo Alto Networks input allows Graylog to receive SYSTEM,THREAT, and TRAFFIC logs directly from a Palo Alto device and the Palo Alto Panorama system. On the device side, a standard Syslog output is used, with logs sent using a typical syslog header followed by a comma-separated list of fields.

The PAN-OS 11 input automatically detects whether the ingested data is from version 11.0 or later and processes the log data using either processing pipelines or Illuminate content. This input does not fully parse the entire message schema, instead, it extracts key fields such as event_source_product and vendor_subtype, which are added to the message.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • Ensure that your Palo Alto device or Panorama is set to output logs in Syslog format to Graylog.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

  1. Configure Syslog Profile to send logs to Graylog Palo Alto Networks TCP (PAN-OS v11+) input.

  2. Configure Syslog Log forwarding for the required log types.

  3. Configure the Log forwarding profile in Security Policies to collect the logs and send to the input.

Input Type

This Input is a listener input type. See Inputs to learn about Input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Parameter Description

Global (Checkbox)

Select this check box to enable this input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.
Node Select the node on which the input should start.
Title Enter a unique name for the input.
Bind Address Enter an IP address for this input to listen on. The source system/data sends logs to this IP/input.
Port Enter the IP address and port on which the Zookeeper server is running.
Receive Buffer Size (optional)

Depending on the amount of traffic being ingested by the input, this value should be large enough to ensure proper flow of data but small enough to prevent the system from spending resources trying to process the buffered data.
No. of worker threads (optional)

This setting controls how many concurrent threads are used to process incoming data. Increasing the number of threads can enhance data processing speed, resulting in improved throughput. The ideal number of threads to configure depends on the available CPU cores on your Graylog server. A common starting point is to align the number of worker threads with the number of CPU cores. However, it is crucial to strike a balance with other server demands.
TLS cert file (optional)

The certificate file that is stored on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to.

TLS private key file (optional)

The certificate private key file that is stored on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to.

Enable TLS (Checkbox)

Select this option if this input should use TLS.

TLS key password (optional)

The private key password.

TLS client authentication (optional)

If you want to require authentication, set this value to optional or required.

TLS Client Auth Trusted Certs (optional)

The path where client (source) certificates are located on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to.
TCP keepalive (Checkbox)

Enable this option if you want the input to support TCP keep-alive packets to prevent idle connections.

Null frame delimiter? (Checkbox)

This option is typically left unchecked. New line is the delimiter for each message.
Maximum message size (optional)

The maximum message size of the message. The default value should suffice but can be modified depending on message length. Each input type usually has specifications that note the maximum length of a message.
Time Zone (optional)

Select the timestamp configured on the system that is sending messages. If the sender does not include the timezone information, you can configure the timezone applied to the messages on arrival. That configuration does not overwrite the timezone included in the timestamp; however, it is the assumed timezone for messages that do not include timezone information.

Store full message?(Checkbox)

Keeps the entire raw message in addition to the parsed fields for future reference or troubleshooting.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: