Palo Alto Log Ingestion Issues with Security Onion Forward Node

[mckenziemmack]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

64

RAM

251G

Storage for /

558G

Storage for /nsm

38T

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello!

I'm running Security Onion in a distributed setup with a manager, forward, and storage node. I'm attempting to ingest logs from my Palo Alto Next-Generation Firewall using the Elastic Integration, specifically targeting my forward node.

The Palo Alto integration policy is configured with the forward node's IP address and TCP port. I've also added the forward node's IP to the Security Onion Console under "Administration -> Configuration -> firewall -> hostgroups -> syslog" and the port under "Administration -> Configuration -> firewall -> portgroups -> syslog."

I believe I am missing a step or two and I would appreciate any guidance or troubleshooting tips to successfully ingest TCP logs from my Palo Alto firewall to the Security Onion forward node?

Thank you.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

Try setting the integration policy to 0.0.0.0. You can add the integration to your forward nodes agent policy. You mentioned allowing the traffic through the host firewall, so at that point you should see logs being ingested