cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Palo Alto Global Protect Logs Missing Most information

HA13029
Copper Contributor

‎May 30 2024 10:43 PM

‎May 30 2024 10:43 PM

Palo Alto Global Protect Logs Missing Most information

Hi all,

 

I've integrated Palo Firewall with MS Sentinel.

For most log type (Traffic, Threat, System), everything is working fine.

But for GlobalProtect log type, it's missing almost all valuable values (no username, authentication status (failed or success), Portal Name, Gateway Name, etc...

I used to following URL to defines CEF format.

https://github.com/pemontto/Palo-Alto-CEF/blob/master/10.0/globalprotect.txt

 

PS: PANOS version 11.x

 

Any idea ??

 

Regards,

 

HA

 

 

Labels:
Preview file
21 KB
363 Views
0 Likes
4 Replies
Reply
4 Replies
techjunk

‎Jun 26 2024 07:08 AM

‎Jun 26 2024 07:08 AM

Re: Palo Alto Global Protect Logs Missing Most information

HA
Did you ever find an answer to this? We are seeing the same thing.
Confirmed character count and no oddities with character returns with copy/pasting.
0 Likes
Reply
HA13029

‎Jun 30 2024 07:00 AM

‎Jun 30 2024 07:00 AM

Re: Palo Alto Global Protect Logs Missing Most information

Hi,

No chance to get an answer....
What I can say is the traffic is correctly parsed by another log solution (Wazuh).
It would be nice to get parsed correctly by Sentinel too...

Regards,

HA
0 Likes
Reply
best response confirmed by HA13029 (Copper Contributor)
techjunk

‎Jul 24 2024 07:57 AM

‎Jul 24 2024 07:57 AM

Solution

Re: Palo Alto Global Protect Logs Missing Most information

@HA13029
Take a look at this;
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m...

Looks like the GP CEF format needs a dummy field to have the required 7.

Stumbled across the info here;
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Data%20Connectors/read...

"Modify the default CEF header format to make sure we always have 7 fields in CEF header as Sentinel log analytics agent can only parse fixed header (7 fields in header) a. > For example, log types “Global Protect” have only 6 fields, and SCTP only have 5 fields in the default configuration. We can introduce dummy fields to make sure we have 7 fields"

Haven't made the change on our side yet, so can't confirm this is the smoking gun, but it looks promising.
0 Likes
Reply
HA13029

‎Jul 25 2024 01:12 AM

‎Jul 25 2024 01:12 AM

Re: Palo Alto Global Protect Logs Missing Most information

Hi,

Many thanks for your help !!
I can get the GP logs now !!
As mentioned int the following document, https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m..., the key is to add the "|1|" in the CEF format !!

Thanks again for your help !!

Regards,

HA


0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by HA13029 (Copper Contributor)
techjunk

‎Jul 24 2024 07:57 AM

‎Jul 24 2024 07:57 AM

Solution

Re: Palo Alto Global Protect Logs Missing Most information

@HA13029
Take a look at this;
https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m...

Looks like the GP CEF format needs a dummy field to have the required 7.

Stumbled across the info here;
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Data%20Connectors/read...

"Modify the default CEF header format to make sure we always have 7 fields in CEF header as Sentinel log analytics agent can only parse fixed header (7 fields in header) a. > For example, log types “Global Protect” have only 6 fields, and SCTP only have 5 fields in the default configuration. We can introduce dummy fields to make sure we have 7 fields"

Haven't made the change on our side yet, so can't confirm this is the smoking gun, but it looks promising.

View solution in original post

0 Likes
Reply