Skip to content

Instantly share code, notes, and snippets.

@meznak
Created Apr 12, 2019
Embed
What would you like to do?
Palo Alto config for syslog-ng
### Palo Alto
#
#############################################################################
### Sources
#
# Don't specify an IP so we listen on all.
# Tuning: https://codeascraft.com/2012/08/13/performance-tuning-syslog-ng/
# log-fetch-limit = number of lines from source in a "chunk"
# log-iw-size = max-connections * log-fetch-limit
# log-fifo-size = log-iw-size * 20 (set globally above)
#
# 5050s send on 5050
# 7050s send on 7050 (because the 7050s are a beast)
#
source s_udp5050_pa {
network(port(5050) transport("udp") max-connections(5) log-fetch-limit(1000) log-iw-size(100000) flags(assume-utf8, syslog-protocol));
};
source s_udp7050_pa {
network(port(7050) transport("udp") max-connections(5) log-fetch-limit(1000) log-iw-size(100000) flags(assume-utf8, syslog-protocol));
};
#############################################################################
### Filters
#
# These only works with the IP as host since use_dns is set to no
filter f_pa_iso-seg {host("XXX.XXX.XXX.XXX") or host ("XXX.XXX.XXX.XXX");};
# Updated filter to just match hostnames containing PA-FW for future flexibility
#filter f_pa_prod {host("XXX.XXX.XXX.XXX") or host("XXX.XXX.XXX.XXX") or host("XXX.XXX.XXX.XXX") or host("XXX.XXX.XXX.XXX");};
filter f_pa_prod {host("*PA-FW*" type(glob) flags(ignore-case)) ;};
#
# Panorama
filter f_panorama {
match('-PA-PAN\.' value(HOST) type("pcre")) or
netmask("XXX.XXX.XXX.XXX/XX")
};
# Filters for the different types of logs so the Splunk Indexers don't
# have to regex them
filter f_pa_traffic { message("TRAFFIC"); };
filter f_pa_threat { message("THREAT"); };
filter f_pa_system { message("SYSTEM"); };
filter f_pa_config { message("CONFIG"); };
#############################################################################
### Destinations
#
# Palo Alto Firewalls - special logic to rotate the file every 15m
# See http://serverfault.com/questions/661781/does-syslog-ng-config-file-support-log-rotating-files-every-15-mins
destination d_paloalto_traffic {
file("/syslog/paloalto/${HOST}/`LOGHOST`.traffic.${YEAR}${MONTH}${DAY}-$HOUR.$(/ $MIN 15)");
};
destination d_paloalto_threat {
file("/syslog/paloalto/${HOST}/`LOGHOST`.threat.${YEAR}${MONTH}${DAY}-$HOUR.$(/ $MIN 15)");
};
destination d_paloalto_system {
file("/syslog/paloalto/${HOST}/`LOGHOST`.system.${YEAR}${MONTH}${DAY}-$HOUR.$(/ $MIN 15)");
};
destination d_paloalto_config {
file("/syslog/paloalto/${HOST}/`LOGHOST`.config.${YEAR}${MONTH}${DAY}-$HOUR.$(/ $MIN 15)");
};
#############################################################################
### Logging
#
# Multiple log destinations means multi-threading!
#########################################################
# PA5050s
#
# Log PA5050 ISO-Segment - THREAT
log {
source (s_udp5050_pa);
# Note filters here are an AND match!
filter (f_pa_iso-seg);
filter (f_pa_threat);
destination(d_paloalto_threat);
flags(final);
};
# Log PA5050 ISO-Segment - TRAFFIC
log {
source (s_udp5050_pa);
# Note filters here are an AND match!
filter (f_pa_iso-seg);
filter (f_pa_traffic);
destination(d_paloalto_traffic);
flags(final);
};
# Log PA5050 ISO-Segment - SYSTEM
log {
source (s_udp5050_pa);
# Note filters here are an AND match!
filter (f_pa_iso-seg);
filter (f_pa_system);
destination(d_paloalto_system);
flags(final);
};
# Log PA5050 ISO-Segment - CONFIG
log {
source (s_udp5050_pa);
# Note filters here are an AND match!
filter (f_pa_iso-seg);
filter (f_pa_config);
destination(d_paloalto_config);
flags(final);
};
#########################################################
# Panorama - should only be SYSTEM and CONFIG
#
# SYSTEM
log {
# Sources are an OR list -- any of the matched sources work
source (s_udp5050_pa);
source (s_udp7050_pa);
# Note filters here are an AND match!
filter (f_panorama);
filter (f_pa_system);
destination(d_paloalto_system);
flags(final);
};
# CONFIG
log {
# Sources are an OR list -- any of the matched sources work
source (s_udp5050_pa);
source (s_udp7050_pa);
# Note filters here are an AND match!
filter (f_panorama);
filter (f_pa_config);
destination(d_paloalto_system);
flags(final);
};
#########################################################
# PA7050s
#
# Log PA7050 Production - THREAT
log {
source (s_udp7050_pa);
# Note filters here are an AND match!
filter (f_pa_prod);
filter (f_pa_threat);
destination(d_paloalto_threat);
flags(final);
};
# Log PA7050 Production - TRAFFIC
log {
source (s_udp7050_pa);
# Note filters here are an AND match!
filter (f_pa_prod);
filter (f_pa_traffic);
destination(d_paloalto_traffic);
flags(final);
};
# Log PA7050 Production - SYSTEM
log {
source (s_udp7050_pa);
# Note filters here are an AND match!
filter (f_pa_prod);
filter (f_pa_system);
destination(d_paloalto_system);
flags(final);
};
# Log PA7050 Production - CONFIG
log {
source (s_udp7050_pa);
# Note filters here are an AND match!
filter (f_pa_prod);
filter (f_pa_config);
destination(d_paloalto_config);
flags(final);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment