PaloAlto logs format
854 views
Skip to first unread message
Zineb Bouziane
Jun 5, 2023, 11:45:00 AM6/5/23
to Wazuh mailing list
Hello everybody,
I have recently configured a PaloAlto firewall to send its traffic, threat and system logs to the Wazuh server via syslog, and I have a problem understanding all the fields in the log format I receive.
Here's an example of an event log:
2023 Jun 05 15:31:29 PA-VM->0.0.0.0 Jun 5 07:28:27 PA-VM 1,2023/06/05 07:28:26,,SYSTEM,wildfire,2816,2023/06/05 07:28:27,,wildfire-conn-failed,,0,0,general,medium,"Failed to resolve host wildfire.paloaltonetworks.com",7212599353960056313,0x0,0,0,0,0,,PA-VM,0,0,2023-06-05T07:28:27.464-07:00
Can somebody help me understand what some of these fields mean.
Thanks in advance
Marcos Darío Buslaiman
Jun 5, 2023, 2:01:35 PM6/5/23
to Wazuh mailing list
Hi Zineb,
Thanks for using Wazuh!
In case you need help, do not hesitate to let us know and I will gladly help you create the custom decoder.
Regards.
Thanks for using Wazuh!
When you configure the sending of logs to Wazuh from your device, through syslog either using Rsyslog + agent or sending directly to Wazuh manager "remote data collection", the log is sent as it is generated on your device, therefore I recommend you verify these values with the provider for example in this document.
On the other hand, I would like to mention that Wazuh provides many decoders and rules, among which are some from PaloAlto, as you can see in the following Wazuh Manager "/var/ossec/ruleset/decoders/0505-paloalto_decoders.xml":
i.e, testing the logline:
2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername
with /var/ossec/bin/wazuh-logtest
2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername
**Phase 1: Completed pre-decoding.
full event: '2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername'
timestamp: '2022-04-14T21:43:30+01:00'
hostname: 'Forwarded'
program_name: '(null)'
log: 'from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername'
**Phase 2: Completed decoding.
decoder: 'paloalto'
receive_time: '2022/04/14 21:43:30'
serial_number: '013101003103'
type: 'SYSTEM'
content_threat_type: 'auth'
generated_time: '2022/04/14 21:43:30'
virtual_system: ''
event_id: 'auth-fail'
object: 'High-Users'
module: 'general'
severity: 'medium'
description: '"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users''
sequence_number: ' vsys 'vsys1''
action_flags: ' server profile 'LDAP-AUTH''
device_group_hierarchy_level_1: ' server address '10.999.9.99''
device_group_hierarchy_level_2: ' From: 174.147.45.4."'
device_group_hierarchy_level_3: '8888888158888888777'
device_group_hierarchy_level_4: '0x0'
virtual_system_name: '0'
device_name: '0'
high_resolution_timestamp: ''
**Phase 3: Completed filtering (rules).
Rule id: '64502'
Level: '3'
Description: 'Palo Alto SYSTEM: medium event.'
**Alert to be generated.
Checking your logline, I don't see that it matches with these so you can see if the log format is configurable in your firewall change it to match the previous example (check the file 0505-paloalto_decoders.xml to verify the different logs that you can use ) or you can create a custom decoder, that you can check the following document
On the other hand, I would like to mention that Wazuh provides many decoders and rules, among which are some from PaloAlto, as you can see in the following Wazuh Manager "/var/ossec/ruleset/decoders/0505-paloalto_decoders.xml":
i.e, testing the logline:
2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername
with /var/ossec/bin/wazuh-logtest
2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername
**Phase 1: Completed pre-decoding.
full event: '2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername'
timestamp: '2022-04-14T21:43:30+01:00'
hostname: 'Forwarded'
program_name: '(null)'
log: 'from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername'
**Phase 2: Completed decoding.
decoder: 'paloalto'
receive_time: '2022/04/14 21:43:30'
serial_number: '013101003103'
type: 'SYSTEM'
content_threat_type: 'auth'
generated_time: '2022/04/14 21:43:30'
virtual_system: ''
event_id: 'auth-fail'
object: 'High-Users'
module: 'general'
severity: 'medium'
description: '"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users''
sequence_number: ' vsys 'vsys1''
action_flags: ' server profile 'LDAP-AUTH''
device_group_hierarchy_level_1: ' server address '10.999.9.99''
device_group_hierarchy_level_2: ' From: 174.147.45.4."'
device_group_hierarchy_level_3: '8888888158888888777'
device_group_hierarchy_level_4: '0x0'
virtual_system_name: '0'
device_name: '0'
high_resolution_timestamp: ''
**Phase 3: Completed filtering (rules).
Rule id: '64502'
Level: '3'
Description: 'Palo Alto SYSTEM: medium event.'
**Alert to be generated.
Checking your logline, I don't see that it matches with these so you can see if the log format is configurable in your firewall change it to match the previous example (check the file 0505-paloalto_decoders.xml to verify the different logs that you can use ) or you can create a custom decoder, that you can check the following document
In case you need help, do not hesitate to let us know and I will gladly help you create the custom decoder.
Regards.
Zineb Bouziane
Jun 6, 2023, 4:48:46 AM6/6/23
to Wazuh mailing list
Thank you so much for your input, it was really helpful.
I have customized the logs on PaloAlto, and it sems that wazuh is able to decode them using the default decoders.
Best regards.
Marcos Darío Buslaiman
Jun 6, 2023, 8:02:58 AM6/6/23
to Wazuh mailing list
I am glad to know that the information was useful, in my previous answer I forgot to send the link of Custome decoders documentation, Custom decoders.
This document is very useful too, when you need to create decoders, Sibling decoders
Please do not hesitate to contact us for any other questions.
Regards
Marcos
This document is very useful too, when you need to create decoders, Sibling decoders
Please do not hesitate to contact us for any other questions.
Regards
Marcos
Reply all
Reply to author
Forward
0 new messages