PCI Compliance for Palo Alto Networks のログの収集
このページでは、PCI Compliance for Palo Alto Networks アプリケーションのログを収集する方法を説明します。
ログ タイプ
PCI Compliance for Palo Alto Networks アプリケーションでのパースは、PAN-OS Syslog 統合に基づきます (「PAN-OS Syslog Integration (PAN-OS Syslog 統合)」を参照)。
前提条件/要件
- Palo Alto Networks ヘルプの「Configure Syslog Monitoring (Syslog モニタリングの設定)」で説明しているように、Palo Alto Networks デバイスの Syslog モニタリングを設定します。
- このアプリケーションは、Palo Alto Networks v7 および v8 をサポートしています。
- PCI Compliance for Palo Alto Networks アプリケーションでのパースは、「Traffic Log Fields (トラフィック ログ フィールド)」で説明している情報に基づきます。
コレクタおよびソースの設定
このステップでは、インストール済みコレクタと、Palo Alto Networks デバイスからログおよびイベントを受信する Syslog サーバとして機能する Syslog ソースを設定します。
- インストール済みコレクタの設定
- Syslog ソースをインストール済みコレクタに追加します。
- Name (名前)。(必須) 名前は必須です。
- Description (説明)。省略可能。
- Protocol (プロトコル): UDP または TCP。 Syslog モニタリング用に Palo Alto Networks で設定したプロトコルを選択します。
- Port (ポート): ポート番号。Syslog モニタリング用に Palo Alto Networks で設定したポートを選択します。
- Source Category (ソース カテゴリ)。(必須) [Source Category (ソース カテゴリ)] メタデータ フィールドは、ソースを整理してラベル付けするための基本的な構成要素です。詳細については、「ベスト プラクティス」を参照してください。
- [Save (保存)] をクリックします。
フィールド抽出ルール
トラフィック ログのパース
_sourceCategory=Loggen/PAN/Traffic TRAFFIC
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action,32 as bytes, 33 as bytes_sent, 34 as bytes_recv, 35 as Packets, 36 as StartTime, 37 as ElapsedTime, 38 as Category, 39 as f4, 40 as seqNum, 41 as ActionFlags, 42 as src_Country, 43 as dest_country, 44 as pkts_sent, 45 as pkts_received, 46 as session_end_reason, 47 as Device_Group_Hierarchy , 48 as vsys_Name, 49 as DeviceName, 50 as action_source, 51 as Source_VM_UUID, 52 as Destination_VM_UUID, 53 as Tunnel_ID_IMSI, 54 as Monitor_Tag_IMEI, 55 as Parent_Session_ID, 56 as parent_start_time, 57 as Tunnel, 58 as SCTP_Association_ID, 59 as SCTP_Chunks, 60 as SCTP_Chunks_Sent, 61 as SCTP_Chunks_Received
ログ メッセージのサンプル
トラフィック ログのサンプル
Sep 05 12:45:15 SumoStg05 0,2018/09/05 12:45:15,012345678901,TRAFFIC,end,0,2018/09/05 12:45:15,182.80.119.50,176.164.175.181,,,Unexpected Traffic,,npande,ping,vsys3,z1-FW-Transit,z3-Sumo-DMZ,ethernet1/2,ethernet1/2,LOGreset-both,2018/09/05 12:45:15,9434,1,0,0,0,0,0x100064,icmp,allow,122,122,0,1,2018/09/05 12:45:15,0,any,0,5134220147,0x8000000000000000,United States,10.0.0.0-10.255.255.255,0,1,0,aged-out,31,42,0,0,,SumoStg05,from-policy,,,0,,0,,N/A
クエリのサンプル
一定期間にわたる拒否されたトラフィック
_sourceCategory=Loggen/PAN/Traffic TRAFFIC deny
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action,32 as bytes, 33 as bytes_sent, 34 as bytes_recv, 35 as Packets, 36 as StartTime, 37 as ElapsedTime, 38 as Category, 39 as f4, 40 as seqNum, 41 as ActionFlags, 42 as src_Country, 43 as dest_country, 44 as pkts_sent, 45 as pkts_received, 46 as session_end_reason, 47 as Device_Group_Hierarchy , 48 as vsys_Name, 49 as DeviceName, 50 as action_source, 51 as Source_VM_UUID, 52 as Destination_VM_UUID, 53 as Tunnel_ID_IMSI, 54 as Monitor_Tag_IMEI, 55 as Parent_Session_ID, 56 as parent_start_time, 57 as Tunnel, 58 as SCTP_Association_ID, 59 as SCTP_Chunks, 60 as SCTP_Chunks_Sent, 61 as SCTP_Chunks_Received
| where type = "TRAFFIC" and action="deny"
| timeslice 5m
| count by _timeslice