Absent Member.
Absent Member.
893 views

Palo alto Mapping Problem

Hey ,

I am facing a problem in maping the Event from Palo alto to Arcsight .. I have used both Mapping shown in the discussion (https://protect724.arcsight.com/docs/DOC-1194) but nothing happned ..

all the vent parameters shown in one arcsight filed " Name " like the following ..

" 1,2011/03/28 15:39:30,0003C100979,SYSTEM,general,0,2011/03/28 15:39:30,,auth-fail,,0,0,general,informational,User 'cabps\sddddddddd' failed authentication. Reason: Invalid username/password "

I Did exactly what mentioned in the " External Release - ArcSight Flexconnector - Palo Alto Networks - Release notes.zip "

and i put the "pan.sdkrfilereader.properties "  in the Syslog Connector /Current/User/Agent/Flexagent/Syslog  directory ..

my syslog Connector Version is  5.0.4.5717.0

My PaloAlto OS Version is 3.1.4

Can you Please help me find the problem and solve it

Labels (2)
0 Likes
4 Replies
Admiral
Admiral

Why do you bother creating a flexconnector for Palo Alto which is now supporting CEF format ?

Check the attached document on how to configure the Palo Alto with CEF format.  Please note you can modify yourselves the way CEF format is used as there are some inconsistencies ( like the name being "TRAFFIC" for allowed and denied events ).

Let me know if it helps

Gaetan

0 Likes
Absent Member.
Absent Member.

Hey ,

but my Paloalto OS Version is 3.1.7 if i am not considered to make an upgrade on my OS , can you help me find  a solution ?

0 Likes
Absent Member.
Absent Member.

I have upgrade my Palo Alto OS version to 4.0.1 , and i did exactly mentioned in the Palo Alto Networks CEF Configuration Guide v6[1].pdf  , I copied the CEF for each type ( Threat , Traffic , system , Config ) , but it didn't work ,

before I did that , the events  was all set in the name field , but now there is just "System auth success" as example  in the name filed but all the fields are empty ..

the connector version is 5.0.4.5717.0

Please can you help me ..

Thabk you

0 Likes
Admiral
Admiral

Let's first look if the problem comes from the parsing or from the palo alto log export.  Could you activate the "preserver raw events" field in your connector tab on ESM ?  Then look in the raw event field to see if the event format looks correct ( CEF:0 .... ) . If not, the problem comes from the palo alto and I suggest you to delete the current log config and to restart from scratch according to the procedure described in the manual.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.