The tags beginning with firewall.paloalto identify log events generated by the Palo Alto Networks Firewall.
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.
The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and must be one of config, system, threat, or traffic. This will be determined dynamically by the rule you define on the Devo Relay. The fourth element is not used.
Therefore, the valid tags are:
For more information, read more about Devo tags.
Devo Relay rule
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The rule identifies the event's type by the source port that it was received on and by whether it matches a format defined by a regular expression.
When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source Data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.
Define the rule using the following values (the port number can be any free port on your relay):
- Source Port → 13004
- Source Data → ^[^,]+,[^,]+,[^,]+,([^,]+).*$
- Target Tag → firewall.paloalto.\\D1
- Check the Sent without syslog tag checkbox
Palo Alto Firewall configuration
In Pan-OS, you will need to create a Syslog Server Profile for your Devo Relay, as well as the necessary Log Forwarding Profiles and Security Policy Rules. See the vendor documentation for instructions.
If you want to send your Palo Alto firewall events to a Devo relay that resides in a different network, check out the article about sending events to the Devo relay using SSL.