When you configure Palo Alto Networks Traps to send log data to USM Appliance, you can use the Palo Alto Networks Traps plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information

Device	Details
Vendor	Palo Alto Networks
Device Type	Endpoint Security
Connection Type	Syslog
Data Source Name	Paloalto-traps
Data Source ID	1919

Integrating Palo Alto Networks Traps

To configure Palo Alto Networks Traps to send Syslog messages to USM Appliance

1. From the ESM Console, select Settings > ESM > Syslog, and then select Enable Syslog.
2. Configure Palo Alto Networks Traps to send logs from ESM components to an external logging platform, USM Appliance, by specifying the following settings:
   • Syslog Server — Hostname or IP address of the USM Appliance Sensor.
   • Transport — UDP, TCP, or SSL
   • Port — 514 for UDP, 601 for TCP, or 6514 for TSL/SSL
   • Format — BSD (default), or IETF
   • Facility — the syslog standard value your server uses to manage messages
3. Click OK to create your profile.

To use the log forwarding profile in your security profile

1. Go to Policy > Security.
2. Click the rule that needs to be forwarded to open its policy rule settings window.
3. In the Security Policy Rule window, click the Actions tab.
4. In the Log Forwarding drop-down, select the profile you created and make sure that the Log at Session End box is checked.
5. Click OK.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-admin-guide/reports-and-logging/forward-logs-to-an-external-logging-platform/enable-log-forwarding-to-an-external-logging-platform.html

For troubleshooting, refer to the vendor documentation:

https://www.paloaltonetworks.com/documentation/34/endpoint/endpoint-admin-guide/troubleshooting/traps-troubleshooting-resources