Up
Previous Next

Sheriff CSM™

Palo Alto Networks Traps

When you configure Palo Alto Networks Traps to send log data to Sheriff CSM, you can use the Palo Alto Networks Traps plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Palo Alto Networks
Device Type Endpoint Security
Connection Type Syslog
Data Source Name Paloalto-traps
Data Source ID 1919

Integrating Palo Alto Networks Traps

To configure Palo Alto Networks Traps to send Syslog messages to Sheriff CSM
  1. From the ESM Console, select Settings > ESM > Syslog, and then select Enable Syslog.

  2. Configure Palo Alto Networks Traps to send logs from ESM components to an external logging platform, Sheriff CSM, by specifying the following settings:

    • Syslog Server — Hostname or IP address of the Sheriff CSM Sensor (Deputy).
    • Transport UDP, TCP, or SSL
    • Port 514 for UDP, 601 for TCP, or 6514 for TSL/SSL
    • Format BSD (default), or IETF
    • Facility — the syslog standard value your server uses to manage messages

  3. Click OK to create your profile.

To use the log forwarding profile in your security profile
  1. Go to Policy > Security.
  2. Click the rule that needs to be forwarded to open its policy rule settings window.

  3. In the Security Policy Rule window, click the Actions tab.

  4. In the Log Forwarding drop-down, select the profile you created and make sure that the Log at Session End box is checked.

  5. Click OK.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-admin-guide/reports-and-logging/forward-logs-to-an-external-logging-platform/enable-log-forwarding-to-an-external-logging-platform.html

For troubleshooting, refer to the vendor documentation:

https://www.paloaltonetworks.com/documentation/34/endpoint/endpoint-admin-guide/troubleshooting/traps-troubleshooting-resources
Topic revision: r11 - 24 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.