Hi Team,
I am new to the Chronicle. I am collecting the logs from paloalto firewall using the bindplane server and able to see the logs in Secops but the logs are not getting parsed . I used the log type as "PAN_FIREWALL" in the processor configuration and the logs are in the LEEF Format.
Please advise what mistake I am doing here.
Thanks
Joe
Hi @Joe_john ,
Make sure you're sending the below mentioned Palo Alto firewalls.
Additionally, if you can share sample logs, so I can see what is the issue.
Hi @sudeep_singh ,
I am using syslog and its forwarding logs in LEEF format. Attached here the sample logs from the bindplane.
Thanks
Joe
Hi @sudeep_singh ,
I am using syslog and its forwarding logs in LEEF format. Attached here the sample logs from the bindplane.
Thanks
Joe
Hi @Joe_john ,
If you can please share the raw log as text, so i will simulate in my environment and figure out what's the error.
Hi @Joe_john ,
If you can please share the raw log as text, so i will simulate in my environment and figure out what's the error.
Hi @sudeep_singh ,
Please find the raw logs below.
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|11.1.6|allow|x7C|cat=TRAFFIC|devTime=Jun 03 2025 19:01:07 GMT|SerialNumber=026701017891|Subtype=end|src=x.x.x.x|dst=1.1.1.1|srcPostNAT=x.x.x.x|dstPostNAT=1.1.1.1|RuleName=test-pc-insha|usrName=|DestinationUser=|Application=dns-base|VirtualSystem=vsys1|SourceZone=trust|DestinationZone=untrust|IngressInterface=ethernet1/2|EgressInterface=ethernet1/3|LogForwardingProfile=Qradar-1|SessionID=370469|RepeatCount=1|srcPort=65361|dstPort=53|srcPostNATPort=14173|dstPostNATPort=53|Flags=0x404019|proto=udp|totalBytes=375|srcBytes=375|dstBytes=0|totalPackets=5|dstPackets=0|srcPackets=5|start=Jun 03 2025 19:01:07 GMT|ElapsedTime=8|URLCategory=any|sequence=7473795535245606188|SessionEndReason=aged-out|DeviceGroupHierarchyL1=118|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|vSrcName=vsys1|DeviceName=PA2_1410|ActionSource=from-policy|ActionFlags=0x0|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/ARuleUUID=5cfada41-ab4b-48db-a8be-f31a6b6e4b2b|PolicyID=|LinkDetail=|SDWANCluster=|SDWANDevice=|SDWAN
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|11.1.6|allow|x7C|cat=TRAFFIC|devTime=Jun 03 2025 19:00:25 GMT|SerialNumber=026701017891|Subtype=end|src=xx.xx.xx.xx|dst=1.1.1.1|srcPostNAT=xx.xx.xx.xx|dstPostNAT=x.x.x.x|RuleName=test-pc-insha|usrName=|DestinationUser=|Application=dns-base|VirtualSystem=vsys1|SourceZone=trust|DestinationZone=untrust|IngressInterface=ethernet1/2|EgressInterface=ethernet1/3|LogForwardingProfile=Qradar-1|SessionID=57758|RepeatCount=1|srcPort=65333|dstPort=53|srcPostNATPort=19111|dstPostNATPort=53|Flags=0x404019|proto=udp|totalBytes=375|srcBytes=375|dstBytes=0|totalPackets=5|dstPackets=0|srcPackets=5|start=Jun 03 2025 19:00:25 GMT|ElapsedTime=8|URLCategory=any|sequence=7473795535245606168|SessionEndReason=aged-out|DeviceGroupHierarchyL1=118|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|vSrcName=vsys1|DeviceName=PA2_1410|ActionSource=from-policy|ActionFlags=0x0|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/ARuleUUID=5cfada41-ab4b-48db-a8be-f31a6b6e4b2b|PolicyID=|LinkDetail=|SDWANCluster=|SDWANDevice=|SDWAN
Thanks
Joe
Hi @sudeep_singh ,
Please find the raw logs below.
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|11.1.6|allow|x7C|cat=TRAFFIC|devTime=Jun 03 2025 19:01:07 GMT|SerialNumber=026701017891|Subtype=end|src=x.x.x.x|dst=1.1.1.1|srcPostNAT=x.x.x.x|dstPostNAT=1.1.1.1|RuleName=test-pc-insha|usrName=|DestinationUser=|Application=dns-base|VirtualSystem=vsys1|SourceZone=trust|DestinationZone=untrust|IngressInterface=ethernet1/2|EgressInterface=ethernet1/3|LogForwardingProfile=Qradar-1|SessionID=370469|RepeatCount=1|srcPort=65361|dstPort=53|srcPostNATPort=14173|dstPostNATPort=53|Flags=0x404019|proto=udp|totalBytes=375|srcBytes=375|dstBytes=0|totalPackets=5|dstPackets=0|srcPackets=5|start=Jun 03 2025 19:01:07 GMT|ElapsedTime=8|URLCategory=any|sequence=7473795535245606188|SessionEndReason=aged-out|DeviceGroupHierarchyL1=118|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|vSrcName=vsys1|DeviceName=PA2_1410|ActionSource=from-policy|ActionFlags=0x0|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/ARuleUUID=5cfada41-ab4b-48db-a8be-f31a6b6e4b2b|PolicyID=|LinkDetail=|SDWANCluster=|SDWANDevice=|SDWAN
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|11.1.6|allow|x7C|cat=TRAFFIC|devTime=Jun 03 2025 19:00:25 GMT|SerialNumber=026701017891|Subtype=end|src=xx.xx.xx.xx|dst=1.1.1.1|srcPostNAT=xx.xx.xx.xx|dstPostNAT=x.x.x.x|RuleName=test-pc-insha|usrName=|DestinationUser=|Application=dns-base|VirtualSystem=vsys1|SourceZone=trust|DestinationZone=untrust|IngressInterface=ethernet1/2|EgressInterface=ethernet1/3|LogForwardingProfile=Qradar-1|SessionID=57758|RepeatCount=1|srcPort=65333|dstPort=53|srcPostNATPort=19111|dstPostNATPort=53|Flags=0x404019|proto=udp|totalBytes=375|srcBytes=375|dstBytes=0|totalPackets=5|dstPackets=0|srcPackets=5|start=Jun 03 2025 19:00:25 GMT|ElapsedTime=8|URLCategory=any|sequence=7473795535245606168|SessionEndReason=aged-out|DeviceGroupHierarchyL1=118|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|vSrcName=vsys1|DeviceName=PA2_1410|ActionSource=from-policy|ActionFlags=0x0|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/ARuleUUID=5cfada41-ab4b-48db-a8be-f31a6b6e4b2b|PolicyID=|LinkDetail=|SDWANCluster=|SDWANDevice=|SDWAN
Thanks
Joe
Hi @Joe_john ,
I simulated the sample logs via ingestion API with the data label "PAN_FIREWALL" and both the sample logs are parsing as expected.
Please find the snip for your reference.
Maybe there is problem while ingesting via bindplane, please check from bindplane end, as per my understanding the parser is working as expected.
Thanks,
Sudeep Singh
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.