When you configure Palo Alto Networks Traps to send log data to USM Appliance, you can use the Palo Alto Networks Traps plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
|Vendor||Palo Alto Networks|
|Device Type||Endpoint Security|
|Data Source Name||Paloalto-traps|
|Data Source ID||1919|
Integrating Palo Alto Networks Traps
To configure Palo Alto Networks Traps to send Syslog messages to USM Appliance
- From the ESM Console, select Settings > ESM > Syslog, and then select Enable Syslog.
- Configure Palo Alto Networks Traps to send logs from ESM components to an external logging platform, USM Appliance, by specifying the following settings:
- Syslog Server — Hostname or IP address of the USM Appliance Sensor.
- Transport — UDP, TCP, or SSL
- Port — 514 for UDP, 601 for TCP, or 6514 for TSL/SSL
- Format — BSD (default), or IETF
- Facility — the syslog standard value your server uses to manage messages
- Click OK to create your profile.
To use the log forwarding profile in your security profile
- Go to Policy > Security.
- Click the rule that needs to be forwarded to open its policy rule settings window.
- In the Security Policy Rule window, click the Actions tab.
- In the Log Forwarding dropdown, select the profile you created and make sure that the Log at Session End box is checked.
- Click OK.
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
For troubleshooting, refer to the vendor documentation: