Set Up Syslog Forwarding to Microsoft Sentinel

You can forward logs to Microsoft Sentinel. Before you begin, ensure to set up a Sentinel log analytics workspace. Create a self-signed certificate or use a public certificate for the Syslog receiver.
  1. Log in to your Microsoft Azure account.
  2. Create and deploy a data connector for Cortex Data Lake.
    1. Search for Sentinel in your Azure account.
    2. Select
      Microsoft Sentinel
      (your workspace)
      Content hub
    3. Search and select
      Palo Alto Networks Cortex Data Lake
      and install it.
    4. Go to
      Data connectors
      and refresh the section to view the
      Palo Alto Networks Cortex Data Lake
      data connector.
  3. Configure Linux Syslog agent according to the instructions you see in Microsoft Sentinel.
    1. Select the Cortex Data Lake data connector.
    2. Select
      Open connector page
    3. Configure the Linux agent according to the instructions.
    It takes some time to view if the connection is successful. You can view the number of data connectors deployed in Sentinel, which is 1 in this scenario.
  4. From Prisma Access, open the Cortex Data Lake app associated with your tenant.
    Go to
    Prisma Access
    Tenants and Services
    Cortex Data Lake
  5. Select
    Log Forwarding
  6. Add a Syslog forwarding profile.
  7. Configure the Syslog forwarding Profile.
    1. Enter the required values and information.
    2. Enter the Syslog server IPv4 address or FQDN.
      Ensure that the value entered here matches the Subject Alternative Name (SAN) of the certificate installed on your syslog server.
    3. Enter the port on which the syslog server is receiving and the facility.
    4. Upload a self-signed certificate or a publicly signed certificate.
    5. Test Connection
      to ensure that Cortex Data Lake can communicate with the receiver.
  8. Click
    , and select the
    format to forward logs.
    Select only the
  9. Select the logs you want to forward, by adding appropriate filters.
  10. Save
    the changes.
    The status of the Syslog profile takes some time to change from
  11. (
    ) Verify if the logs are forwarded to Microsoft Sentinel.
    1. Log in to Microsoft Sentinel.
    2. Go to
      and run an appropriate query.
      The forwarded logs appear.
  12. (
    ) Add a workbook in your workspace to visualize and monitor the data.
    1. Go to
    2. Search for the
      Palo Alto Networks Cortex Data Lake
      workbook with
      Content hub
      as the content source.
    3. View template
      to view the populated data.
    4. (
      the template to edit it.

Recommended For You