Set Up Syslog Forwarding to Microsoft Sentinel
Focus
Focus
Prisma Access

Set Up Syslog Forwarding to Microsoft Sentinel

Table of Contents

Set Up Syslog Forwarding to Microsoft Sentinel

Learn how to set up syslog forwarding to Microsoft Sentinel.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
If you need to fulfill your organization's legal compliance requirements, you can easily forward firewall logs stored in Strata Logging Service (formerly Cortex Data Lake) to external destinations through Prisma Access. For example, you can forward logs using syslog to a SIEM for long term storage, SOC, or internal audit obligations.
You can forward logs to Microsoft Sentinel. Before you begin, ensure to set up a Sentinel log analytics workspace. Create a self-signed certificate or use a public certificate for the Syslog receiver.
  1. Log in to your Microsoft Azure account.
  2. Create and deploy a data connector for Strata Logging Service.
    1. Search for Sentinel in your Azure account.
    2. Select Microsoft Sentinel(your workspace)Content hub.
    3. Search and select Palo Alto Networks Cortex Data Lake and install it.
    4. Go to Data connectors and refresh the section to view the Palo Alto Networks Cortex Data Lake (CDL) data connector.
  3. Configure Linux Syslog agent according to the instructions you see in Microsoft Sentinel.
    1. Select the Strata Logging Service data connector.
    2. Select Open connector page.
    3. Configure the Linux agent according to the instructions.
    It takes some time to view if the connection is successful. You can view the number of data connectors deployed in Sentinel, which is 1 in this scenario.
  4. From Prisma Access, open the Strata Logging Service app associated with your tenant.
    Go to Prisma AccessTenants and ServicesStrata Logging Service.
  5. Select Log Forwarding.
  6. Add a Syslog forwarding profile.
  7. Configure the Syslog forwarding Profile.
    1. Enter the required values and information.
    2. Enter the Syslog server IPv4 address or FQDN.
      Ensure that the value entered here matches the Subject Alternative Name (SAN) of the certificate installed on your syslog server.
    3. Enter the port on which the syslog server is receiving and the facility.
    4. Upload a self-signed certificate or a publicly signed certificate.
    5. Test Connection to ensure that Strata Logging Service can communicate with the receiver.
  8. Click Next, and select the CEF format to forward logs.
    Select only the CEF format.
  9. Select the logs you want to forward, by adding appropriate filters.
  10. Save the changes.
    The status of the Syslog profile takes some time to change from Provisioning to Running.
  11. (Optional) Verify if the logs are forwarded to Microsoft Sentinel.
    1. Log in to Microsoft Sentinel.
    2. Go to Logs and run an appropriate query.
      The forwarded logs appear.
  12. (Optional) Add a workbook in your workspace to visualize and monitor the data.
    1. Go to WorkbooksTemplates.
    2. Search for the Palo Alto Networks Cortex Data Lake workbook with Content hub as the content source.
    3. View template to view the populated data.
    4. (Optional) Save the template to edit it.