Event Interoperability Standard

Common Event Format Configuration Guide
Palo Alto Networks PAN-OS 4.0.0 Date: March 2, 2011

ArcSight Technical Note – Contains Confidential and Proprietary Information

1

0 February 25. 2011 Revision History Date 02/25/2011 03/02/2011 Description First edition of this Configuration Guide.Event Interoperability Standard CEF Connector Configuration Guide Palo Alto Networks PAN-OS 4.0. Certified CEF Compliant PAN-OS4.0 ArcSight Technical Note – Contains Confidential and Proprietary Information 2 .0.

Port (default 514).Event Interoperability Standard PAN-OS 4. Open the UI and select the ‘Device’ tab.0. In the ‘Syslog Server Profile’ Dialog enter a server profile ‘Name’ and ‘Location ‘ (location refers to a Virtual System).0.0 CEF Configuration Guide This guide provides information for configuring the Palo Alto Networks next-generation firewalls for CEF-formatted syslog event collection. and the PA-500. Below table shows the CEF-style format that was used during the certification process for each log type. and Facility (default LOG_USER). function specific processing that is tightly integrated with a single-pass software engine. Each of the hardware platforms supports the same rich set of next-generation firewall features ensuring consistent operation across the entire line. and click on any of the listed log types Config/System/Threat/Traffic/HIPMatch to define a custom format based on the ArcSight CEF for that log type. instead of the traditional “all-or-nothing” approach offered by traditional port-blocking firewalls used in many security infrastructures. 4. and content – not just ports. enable enterprises to create business-relevant security policies – safely enabling organizations to adopt new applications. Select ‘Custom Log Format’ tab. On the left hand side select ‘Syslog’ under ‘Server Profiles’ and click ‘Add’. and Content-ID. and packets – using three unique identification technologies: App-ID. found in Palo Alto Networks' enterprise firewalls. Configuration Configure the Palo Alto Networks device for ArcSight CEF-formatted syslog events based on information from the PAN-OS administrator’s guide. 1. and range from 250Mbps to 20Gbps in throughput capacity. Select ‘Servers’ tab. and click ‘Add’ to provide a name for the Syslog server. 5. PA4000 Series. 3. This unique combination of hardware and software maximizes network throughput while minimizing latency. 2. NOTE: Customers can choose to define their own CEF-style formats using the event mapping table provided in addition to this document. IP address. User-ID. Overview Palo Alto Networks’ next-generation firewalls provide network security by enabling enterprises to see and control applications. These custom formats include all the fields that are displayed in the default format of the syslogs in a similar order.0 or higher is supported. PA-2000 Series. Next-generation firewall model families include Palo Alto Networks' PA-5000 Series. every Palo Alto Networks next-generation firewall utilizes dedicated. The ‘Custom Log Format’ tab supports escaping any characters defined in the CEF as ArcSight Technical Note – Contains Confidential and Proprietary Information 3 . These identification technologies. Delivered as a purpose-built appliance. IP addresses. users. PAN-OS version 4.

For instance. to escape the backslash and equal characters by a backslash.0|$subtype $eventid|$type $eventid|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$fmt CEF:0|Palo Alto Networks|PAN-OS|4.0|$subtype|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes cn2Label=Packets cn2=$packets start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category CEF:0|Palo Alto Networks|PAN-OS|4.0.0|$subtype $threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action msg=$misc cs2Label=URL Category cs2=$category deviceDirection=$direction CEF:0|Palo Alto Networks|PAN-OS|4.0.Event Interoperability Standard special characters.0|$subtype $result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path CEF:0|Palo Alto Networks|PAN-OS|4.0|$subtype $hip|$type $hiptype|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt Threat Config System HIP Match ArcSight Technical Note – Contains Confidential and Proprietary Information 4 . Traffic CEF:0|Palo Alto Networks|PAN-OS|4.0.0.0. specify ‘\=’ as the ‘Escaped characters’ and ‘\’ as the ‘Escape character’.

Event Interoperability Standard ArcSight Technical Note – Contains Confidential and Proprietary Information 5 .

0. and then mapped to an ArcSight data field. and HIP MATCH. ‘4.g.0’ Value is event-type specific: ArcSight Technical Note – Contains Confidential and Proprietary Information 6 . Refer to the ‘System Logs’ document for a listing of all the events grouped by the system area. Device Event Mapping to ArcSight Data Fields Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector. THREAT. Device Vendor Device Product Device Version Unique identifier per event-type Device Vendor Device Product Device Version Signature ID String String String String ‘Palo Alto Networks’ ‘PAN-OS’ Configurable. Events The different log types for which syslogs are generated include TRAFFIC. E. The Extension Dictionary that lists Palo Alto Networks-specific event definitions and their mapping to ArcSight CEF data fields. the $eventid field captures the specific event associated with that log. SYSTEM. Prefix fields CEF Name Data type Meaning Palo Alto Networks Value 0 Version Integer Identifies the version of the CEF format. For the SYSTEM events. CONFIG.Event Interoperability Standard Screen Shot Shown below is a screenshot of the ‘Active Channel’ page on the ArcSight CEF Server showing the events generated by a Palo Alto Networks Device. Definitions of Prefix Fields and their values for syslog messages generated by Palo Alto Networks firewalls.

Value is event-type specific. IMAP. Traffic:$type Threat:$type Config:$type System: $type $eventid HIP Match:$type $hiptype Severity Integer Reflects the importance of the event. IMAPS. SessionID $sessionid $app act deviceAction String 63 Action mentioned in the event. Only numbers from 0 to 10 are allowed. Telnet. where 10 indicates the most important event. and HIP events. etc. Devices oftentimes use their own categorization schema to classify events. Extension Dictionary CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field Value is eventtype specific: Traffic : $action Threat: $action Config: $cmd app ApplicationProto col String 31 Application level protocol. cat deviceEventCat egory String 1023 cn1 deviceCustomN umber1 Long ArcSight Technical Note – Contains Confidential and Proprietary Information 7 .Event Interoperability Standard Traffic:$subtype Threat:$subtype $threatid Config:$subtype $result System: $subtype $eventid HIP: $subtype $hip Name String Represents a humanreadable and understandable description of the event. $number-of-severity Always 1 for traffic. SSHv2. config. HTTPS. POP. example values are: HTTP. Represents the category assigned by the originating device.

How many times was this same event observed? $repeatcnt cnt Integer cs1 deviceCustomSt ring1 String 1023 Rule $rule cs1Label deviceCustomSt ring1Label String 1023 Rule cs2 deviceCustomSt ring2 String 1023 URL Category $category cs2Label deviceCustomSt ring2Label String 1023 URL Category cs3 deviceCustomSt ring3 String 1023 Vsys $vsys cs3Label deviceCustomSt ring3Label String 1023 Virtual System ArcSight Technical Note – Contains Confidential and Proprietary Information 8 .Event Interoperability Standard CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field cn1Label deviceCustomN umber1 Label deviceCustomN umber2 deviceCustomN umber2Label deviceCustomN umber3 deviceCustomN umber3Label baseEventCount String 1023 SessionID cn2 Long Packets $packets cn2Label String 1023 Packets cn3 Long Elapsed time $elapsed cn3Label String 1023 Elapsed time in seconds A count associated with this event.

The format is an IPv4 address. for example.1” Port after it was translated. $inbound_if deviceOutboundIn terface String 15 $outbound_if ArcSight Technical Note – Contains Confidential and Proprietary Information 9 . $natdst destinationTransla tedPort Integer $natdport deviceDirection String $direction deviceExternalId String $serial deviceInboundInte rface String 15 Interface on which the packet or data entered the device. Interface on which the packet or data left the device. 255 A name that uniquely identifies the device generating this event.168. Any information about what direction the communication that was observed has taken. Valid port numbers are 0 to 65535.Event Interoperability Standard CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field $from cs4 deviceCustomSt ring4 String 1023 Srczone cs4Label deviceCustomSt ring4Label deviceCustomSt ring5 deviceCustomSt ring5Label deviceCustomSt ring6 deviceCustomSt ring6Label String 1023 Source Zone cs5 String 1023 Dstzone $to cs5Label String 1023 Destination Zone cs6 String 1023 LogProfile $logset cs6Label String 1023 LogProfile destinationService Name String 1023 The service which is targeted by this event.Example: “192. Value is eventtype specific: Config: $client destinationTransla ted Address IPv4 Address Identifies the translated destination that the event refers to in an IP network. Serial Number of the device.10. a firewall.

Event Interoperability Standard CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field $dport dpt destinationPort Integer The valid port numbers are between 0 and 65535.10.Examples: “host. The format should be a fully qualified domain name associated with the device node. The format is an IPv4 address. This is the user associated with the event's destination. Email addresses are also mapped into the UserName fields. Inbound relative to the source to destination relationship. The recipient is a candidate to put into destinationUserName.168.domain. Total bytes (rx and tx) dst destinationAddr ess IPv4 Address $dst duser destinationUser Name String Value is eventtype specifc: Traffic: $dstuser Threat:$dstuser Config: $admin dvchost deviceHostNam e String 100 Value is eventtype specific: Config: $host flexNumber1 flexNumber1Label flexString1 flexString1Label flexString2 String String String String $bytes Total bytes Flags Flags Module Value is eventtype specific: System:$module $flags flexString2Label fname filename String String 1023 Module Name of the file. meaning that data was flowing from source to $bytes_received ArcSight Technical Note – Contains Confidential and Proprietary Information 10 .Example: “192. when a node is available.1” 1023 Identifies the destination user by name. Identifies destination that the event refers to in an IP network. Value is eventtype specific: System: $object in bytesIn Integer Number of bytes transferred inbound.com” or “host”.

Identifies the translated source that the event refers to in an IP network. when a node is available. Value is eventtype specific: Threat: $misc System: $fmt Config: $path $bytes_sent out bytesOut Integer proto transportProtoc ol String 31 Identifies the Layer-4 protocol used. meaning that data was flowing from destination to source. The time at which the event related to the activity was received. Valid port numbers are 0 to 65535. Number of bytes transferred outbound. The format should be a fully qualified domain name associated with the source node.Event Interoperability Standard CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field destination. Multiline entries can be produced by using \n as the new-line separator. msg Message String 1023 An arbitrary message giving more details about the event. The format is an Ipv4 address. $proto rt receiptTime Time Stamp $cef-formattedreceive_time shost sourceHostNam e String 1023 Identifies the source that an event refers to in an IP network. The possible values are protocol names such as TCP or UDP.Examples: “host. Outbound relative to the source to destination relationship.10.com” or “host”.1” Port after it was translated by for example a firewall. Example: “192.168.domain. Value is eventtype specific: HIP Match: $machinename sourceTranslatedA ddress Ipv4 Address $natsrc sourceTranslatedP ort Integer $natsport ArcSight Technical Note – Contains Confidential and Proprietary Information 11 . The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970).

The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970).1” The time when the activity the event referred to started. The time when the activity the event referred to started. The sender is a candidate to put into sourceUserName.10. The format is an Ipv4 address. 1023 Identifies the source user by name. src sourceAddress Ipv4 Address $src start startTime Time Stamp $cef-formattedtime_generated start startTime Time Stamp $cef-formattedtime_generated suser sourceUserNam e String $srcuser ArcSight Technical Note – Contains Confidential and Proprietary Information 12 .Example: “192.Event Interoperability Standard CEF Key Name Full Name Data Type Length Meaning Palo Alto Networks Value Field $sport spt sourcePort Integer The valid port numbers are 0 to 65535. The format isMMM dd yyyy HH:mm:ssor milliseconds since epoch (Jan 1st 1970). Identifies the source that an event refers to in an IP network.168. E-mail addresses are also mapped into the UserName fields.

Sign up to vote on this title
UsefulNot useful