Sunday, July 10, 2016

Building a monitoring solution – Forwarding Palo Alto Logs



In the previous post we took some basic steps to begin the process of hardening our server so that we can reduce its attack surface thus improving the security of our monitoring system. Now let’s forward some logs from a Palo Alto 200 device to it.

First up, let’s create a “Syslog Server Profile” by clicking “Device” -> “Server Profiles” -> “Syslog”.

For our example we will set the name as “Security Monitoring”

 
Next up let’s configure the “Log Forwarding” by selecting the “Objects” menu then “Log Forwarding”.
Finally, let’s go to the options for our rules and configure the “Options”. In this case we will specify our “Log Forwarding” destination as the one we configured.







Finally, “Save” and “Commit” your changes.


Now that we have configured our rules. Let’s verify that traffic is reaching our monitoring server by looking at tcpdump.


Looks good! Time to build a Splunk dashboard now to present our information in a state which is easily readable. We configured the Palo Alto to forward "TRAFFIC" and "THREATS" log so we will parse those. Do remember, Palo Alto can also do URL filtering, WildFire, etc.

1 comment: