PanOS 10 Decoders for Globalprotect
343 views
Skip to first unread message
Steve O'Brien
Mar 27, 2023, 8:12:28 PM3/27/23
to Wazuh mailing list
I am trying to get my Globalprotect VPN authentication logs into Wazuh. Currently threat and traffic logs are being ingested via syslogd on a wazuh agent enabled system. I am delivering the three logs to different files on the syslog server, threat, traffic and auth and they are all in the client config, however I am only seeing the threat and traffic logs populate.
When I test the one of the auth log failures:
<182>1 2023-03-22T17:49:18-10:00 paloalto-fw - - - - 1,2023/03/22 17:49:18,013201027519,GLOBALPROTECT,0,2561,2023/03/22 17:49:18,vsys1,portal-auth,login,Other,,temp,US,MacBook-user.local,204.12.221.165,0.0.0.0,0.0.0.0,0.0.0.0,,,,Mac,"mac-intel",1,,Invalid username or password,,failure,,0,,1,VPN,7199699939377559676,0x0,2023-03-22T17:49:18.166-10:00,,,,,,0,0,0,0,,PALOALTO-FW,0
This is all I get:
**Phase 2: Completed decoding.
name: 'paloalto'
parent: 'paloalto'
receive_time: '2023/03/22 17:49:18'
serial_number: '013201027519'
type: 'GLOBALPROTECT'
**Phase 3: Completed filtering (rules).
id: '64500'
level: '0'
description: 'Palo Alto GLOBALPROTECT event.'
groups: '['paloalto']'
firedtimes: '2'
mail: 'False'
name: 'paloalto'
parent: 'paloalto'
receive_time: '2023/03/22 17:49:18'
serial_number: '013201027519'
type: 'GLOBALPROTECT'
**Phase 3: Completed filtering (rules).
id: '64500'
level: '0'
description: 'Palo Alto GLOBALPROTECT event.'
groups: '['paloalto']'
firedtimes: '2'
mail: 'False'
I am guessing that I need a custom decoder but I am struggling a bit to figure out the specifics.
I was hoping that maybe someone else has already figured this out and would perhaps be willing to share?
TIA
Mateo Cervilla
Mar 29, 2023, 8:57:46 AM3/29/23
to Wazuh mailing list
Hi Steve,
If I understood correctly, you are scanning three logs but only receiving alerts from two, right?
Can you give me your current configurations related to this?
When you say: "This is all I get" , where can you see that?
I will wait for your answer.
Kind regards
Steve O'Brien
Mar 31, 2023, 3:08:18 AM3/31/23
to Mateo Cervilla, Wazuh mailing list
If I understood correctly, you are scanning three logs but only receiving alerts from two, right?
Correct
Can you give me your current configurations related to this?
<localfile>
<log_format>syslog</log_format>
<location>/var/log/hosts/firewall-messages.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/hosts/firewall-netdev.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/hosts/firewall-auth.log</location>
</localfile>
<log_format>syslog</log_format>
<location>/var/log/hosts/firewall-messages.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/hosts/firewall-netdev.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/hosts/firewall-auth.log</location>
</localfile>
I can see messages in the /var/log/hosts/firewall-auth.log file on the syslog server but when I look at the wazuh manager events and filter for location : /var/log/hosts/firewall-auth.log there is nothing
Steve O'Brien | Senior Network Administrator
National Solar Observatory
Daniel K. Inouye Solar Telescope Project
22 Ohi’a Ku Street, Pukalani, HI 96768
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/b-Dha8icXVc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b15db7ff-25c8-4527-8613-7aa5089f3b01n%40googlegroups.com.
Message has been deleted
Mateo Cervilla
Apr 3, 2023, 9:29:19 AM4/3/23
to Wazuh mailing list
Hi Steve,
sorry for the delay, I replied to you on Friday but it seems that Google deleted the message.
You can try to enable the logall option at /var/ossec/etc/ossec.conf and check if you are receiving the events correctly, at /var/ossec/logs/archives/archives.log
Once you have enabled it, restart the manager and take a look at it. Let me know if you find something unusual.
You can also take a look at the documentation in case you haven't: Log data collection. You may find something useful for this case.
Regards,
Mateo
Steve O'Brien
Apr 7, 2023, 4:14:51 AM4/7/23
to Mateo Cervilla, Wazuh mailing list
I added the logall option and there is nothing from the firewall-auth.log in the archives. However there has been data logged to the file on the syslog server since making that change
Steve O'Brien | Senior Network Administrator
National Solar Observatory
Daniel K. Inouye Solar Telescope Project
22 Ohi’a Ku Street, Pukalani, HI 96768
On Mon, Apr 3, 2023 at 4:40 AM 'Mateo Cervilla' via Wazuh mailing list <wa...@googlegroups.com> wrote:
Hi Steve,First of all, I recommend you to enable the logall option in /var/ossec/etc/ossec.conf and restart Wazuh.Once it has been enabled, wait until an event occurs and then check in the /var/ossec/logs/archives/archives.log if they are recorded.Let me know what you get.Also, you can take a look to the documentation here if you haven't: Log data collection, it should be useful.Regards,Mateo
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/44a54efb-105e-4971-a883-08eb32030deen%40googlegroups.com.
Steve O'Brien
Apr 7, 2023, 4:16:55 AM4/7/23
to Mateo Cervilla, Wazuh mailing list
I am seeing some of the logs in the archives file but I think I need some better decoder rules:
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
2023 Apr 06 20:22:53 (syslog.nso.edu) any->/var/log/hosts/firewall-netdev.log <190>1 2023-04-06T10:22:51-10:00 S3AA3-PA5220-01.summit.nso.edu - - - - 1,2023/04/06 10:22:51,013201027519,GLOBALPROTECT,0,2561,2023/04/06 10:22:51,vsys1,gateway-hip-check,host-info,,,sobrien-local,,Steves-MacBook-Pro,66.8.174.83,0.0.0.0,10.50.1.231,0.0.0.0,3c:22:fb:3e:11:78,C02CJ2W9ML7J,6.0.3,,,1,,,"HIP report is not needed",success,,0,,0,Summit GP Gateway,7199699939377563882,0x0,2023-04-06T10:22:51.688-10:00,,,,,,0,0,0,0,,S3AA3-PA5220-01,0
**Phase 1: Completed pre-decoding.
full event: '2023 Apr 06 20:22:53 (syslog.nso.edu) any->/var/log/hosts/firewall-netdev.log <190>1 2023-04-06T10:22:51-10:00 S3AA3-PA5220-01.summit.nso.edu - - - - 1,2023/04/06 10:22:51,013201027519,GLOBALPROTECT,0,2561,2023/04/06 10:22:51,vsys1,gateway-hip-check,host-info,,,sobrien-local,,Steves-MacBook-Pro,66.8.174.83,0.0.0.0,10.50.1.231,0.0.0.0,3c:22:fb:3e:11:78,C02CJ2W9ML7J,6.0.3,,,1,,,"HIP report is not needed",success,,0,,0,Summit GP Gateway,7199699939377563882,0x0,2023-04-06T10:22:51.688-10:00,,,,,,0,0,0,0,,S3AA3-PA5220-01,0'
timestamp: '2023 Apr 06 20:22:53'
Starting wazuh-logtest v4.3.10
Type one log per line
2023 Apr 06 20:22:53 (syslog.nso.edu) any->/var/log/hosts/firewall-netdev.log <190>1 2023-04-06T10:22:51-10:00 S3AA3-PA5220-01.summit.nso.edu - - - - 1,2023/04/06 10:22:51,013201027519,GLOBALPROTECT,0,2561,2023/04/06 10:22:51,vsys1,gateway-hip-check,host-info,,,sobrien-local,,Steves-MacBook-Pro,66.8.174.83,0.0.0.0,10.50.1.231,0.0.0.0,3c:22:fb:3e:11:78,C02CJ2W9ML7J,6.0.3,,,1,,,"HIP report is not needed",success,,0,,0,Summit GP Gateway,7199699939377563882,0x0,2023-04-06T10:22:51.688-10:00,,,,,,0,0,0,0,,S3AA3-PA5220-01,0
**Phase 1: Completed pre-decoding.
full event: '2023 Apr 06 20:22:53 (syslog.nso.edu) any->/var/log/hosts/firewall-netdev.log <190>1 2023-04-06T10:22:51-10:00 S3AA3-PA5220-01.summit.nso.edu - - - - 1,2023/04/06 10:22:51,013201027519,GLOBALPROTECT,0,2561,2023/04/06 10:22:51,vsys1,gateway-hip-check,host-info,,,sobrien-local,,Steves-MacBook-Pro,66.8.174.83,0.0.0.0,10.50.1.231,0.0.0.0,3c:22:fb:3e:11:78,C02CJ2W9ML7J,6.0.3,,,1,,,"HIP report is not needed",success,,0,,0,Summit GP Gateway,7199699939377563882,0x0,2023-04-06T10:22:51.688-10:00,,,,,,0,0,0,0,,S3AA3-PA5220-01,0'
timestamp: '2023 Apr 06 20:22:53'
**Phase 2: Completed decoding.
name: 'paloalto'
parent: 'paloalto'
receive_time: '2023/04/06 10:22:51'
serial_number: '013201027519'
type: 'GLOBALPROTECT'
**Phase 3: Completed filtering (rules).
id: '64500'
level: '0'
description: 'Palo Alto GLOBALPROTECT event.'
groups: '['paloalto']'
firedtimes: '1'
mail: 'False'
mail: 'False'
Steve O'Brien | Senior Network Administrator
National Solar Observatory
Daniel K. Inouye Solar Telescope Project
22 Ohi’a Ku Street, Pukalani, HI 96768
Mateo Cervilla
Apr 12, 2023, 12:02:25 PM4/12/23
to Wazuh mailing list
Hi Steve,
About your comment on there is nothing from the firewall-auth.log in the archives. If you enabled the logall option and you are not receiving messages in archives.log from the .log file you are trying to monitor, then you should check the <localfile> configuration where you are trying to monitor it, as it appears that it is not being monitored correctly.
About the decoders. If the current ones don't work or aren't enough for you, then you can create your own custom decoders or rules. Or you can even modify existing ones to get the information you need.
Take a look at the documentation here:
Please note that the decoders and rulers currently available for Palo Alto are as follows:
About your comment on there is nothing from the firewall-auth.log in the archives. If you enabled the logall option and you are not receiving messages in archives.log from the .log file you are trying to monitor, then you should check the <localfile> configuration where you are trying to monitor it, as it appears that it is not being monitored correctly.
About the decoders. If the current ones don't work or aren't enough for you, then you can create your own custom decoders or rules. Or you can even modify existing ones to get the information you need.
Take a look at the documentation here:
Please note that the decoders and rulers currently available for Palo Alto are as follows:
Reply all
Reply to author
Forward
0 new messages