サービス概要
変更履歴
システム概要図
コンポーネント
システム要件
使用方法
よくあるご質問(FAQ)
Tips
ラインセンス
Contact Us

サービス概要

English version of PALallax manual site is under construction now.

Version 1.xのマニュアルはこちら（英語）をご覧ください。
Version 1.x of the manual, please click here

PALallaxは、パロアルトネットワークス次世代ファイアウォールのログに対応した可視化ツールです。

デフォルトでは、以下の情報を可視化可能です。
※カスタマイズすることで、より多くの情報を可視化可能です

Log Count
Traffic Bytes
Application and port
Source ip and Application
Hostname
Action
Type/SubType
Source/Destination Address
Destination Country
Threat Code/Severity

変更履歴

Version1.0

ファーストリリース

Version2.0

ログ取込み方式をSNMP TrapからSyslogに変更
使用コンポーネントのバージョンアップ

Version2.1

PAN-OS7.1に対応

Version2.1.2

使用コンポーネントのバージョンアップ
デフォルトパラメータのチューニング

Version3.0.0

PAN-OS8.0に対応

Version4.0.0

PAN-OS9.1に対応
GlobalProtectログに対応
使用コンポーネントのバージョンアップ

Version4.1.0

PAN-OS10.1に対応
PrismaAccessに対応
使用コンポーネントのバージョンアップ

Version4.2.0

PAN-OS10.2に対応
使用コンポーネントのバージョンアップ

システム概要図

コンポーネント

PALallaxは以下のコンポーネントを使用しています。

Java : 17.0.2
ElasticSearch : 8.1.1
Fluentd(td-agent) : 4.3.0
kibana : 8.1.1
nginx : 1.18.0

システム要件

動作に必要な環境は以下です。

Firewall

PAN-OS : 9.1.x, 10.1.x, 10.2.x
FortiOS : 6.0以降
Nozomi Networks Guardian : 21.X

Server（最低動作環境）

OS : ubuntu 20.04(Focal)
CPU >= Intel® Core™ i3 , Intel® Xeon® Processor E3 Family
Memory(GiB) >= 8
Storage(GiB) >= 50

使用方法

1.Installation

インストール手順は以下の通りです。（root権限で実行して下さい）
PALalallaxをインストールする対象のサーバで実行してください。

                
### Git clone
git clone https://github.com/ap-communications/PALallax

# Move to PALallax directory before following steps.
cd PALallax/

### Run shellscript
sudo ./install.sh 2>&1 | tee -a ./install.log
# スクリプト実行時にPALallaxのタイムゾーン設定を行います。
# ログ取得対象の機器と同じタイムゾーンを設定することを推奨いたします。
# 以下のようなプロンプトが表示されますので、UTCとの時差を入力ください。
$ Time zone setting : 

#JSTで設定する場合
Time zone setting : +9
#UTCで設定する場合
Time zone setting : 0
#PSTで設定する場合
Time zone setting : -8

### インストールが完了すると以下のメッセージが表示されます。
**********************
Install completed.
**********************

2.PALallax Configuration

次にPALallaxのセキュリティ設定を行います。

2.1 CA証明書の設定

 
              
sudo /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem --out es_ca.zip
##unzipがインストールされていない場合は次のコマンドでしてください。 
sudo apt install unzip
sudo unzip /usr/share/elasticsearch/es_ca.zip -d /etc/elasticsearch/certs   

##以下のコマンドを実行し、truststoreのパスワードを確認します。
sudo /usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
#表示されたパスワードは次の手順で使用するため控えてください。PASS①

##以下のコマンドを$YOUR_PASSWORDからPASS①に置き換えた上で、実行してください。
sudo /usr/share/elasticsearch/jdk/bin/keytool -importcert -trustcacerts -noprompt -keystore /etc/elasticsearch/certs/transport.p12 \
-storepass $YOUR_PASSWORD -alias es-ca -file /etc/elasticsearch/certs/ca/ca.crt

2.2 ノード証明書の設定

 
              
sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert \
--ca-cert /etc/elasticsearch/certs/ca/ca.crt --ca-key /etc/elasticsearch/certs/ca/ca.key \
--out /etc/elasticsearch/certs/node-certificates.p12
##プロンプトに以下が表示されたら、証明書のパスワードを設定します。パスワードを設定しない場合はそのままEnterをしてください。
Enter password for node-certificates.p12 : 
##パスワードを設定した場合は忘れないように控えてください。PASS②

##直前に設定したパスワードをkeystoreに保存します。
$ sudo /usr/share/elasticsearch/bin/elasticsearch-keystore add -f xpack.security.transport.ssl.keystore.secure_password
Enter value for xpack.security.transport.ssl.keystore.secure_password: 
##新しいパスワードの入力を求められますので、PASS②を入力してください。設定していない場合はそのままEnterをしてください。

##作成した証明書の権限を変更します。
sudo chmod 660 /etc/elasticsearch/certs/node-certificates.p12
sudo chown root:elasticsearch /etc/elasticsearch/certs/node-certificates.p12

2.3 http用の証明書発行

 
            
##以下のコマンドを実行し証明書を発行します。
$ sudo /usr/share/elasticsearch/bin/elasticsearch-certutil http

##コマンド実行後は対話形式の作業になります。以下を参考にしてください。

Generate a CSR? [y/N]     # "N"を入力

Use an existing CA? [y/N] # "Y"を入力

CA Path:                  # "/etc/elasticsearch/certs/ca/ca.crt"を入力

CA Key:                   # "/etc/elasticsearch/certs/ca/ca.key"を入力

For how long should your certificate be valid? [5y]  # 有効期限を設定してください。

Generate a certificate per node? [y/N]               # "N"を入力

Enter all the hostnames that you need, one per line.
When you are done, press  once more to move on to the next step.
# "localhost"を入力して一度Enterを押してください。
# 次に"es_node1"と入力し、二度Enterを押してください。

You entered the following hostnames.
  - localhost
  - es_node1
Is this correct [Y/n]   # 確認が求められるので"Y"を入力してください。

Enter all the IP addresses that you need, one per line.
When you are done, press  once more to move on to the next step.
# "127.0.0.1"を入力して一度Enterを押してください。
# 次にPALallaxサーバの実IPアドレスを入力してEnterを押してください。
# 全て入力が完了したらもう一度Enterを押してください。

You entered the following IP addresses.

  - 127.0.0.1
  - xx.xx.xx.xx #PALallaxサーバの実IPアドレスが表示されます

Is this correct [Y/n]   # 入力内容の確認が求められるので、間違いがなければ"Y"を入力してください。

Key Name: localhost
Subject DN: CN=localhost
Key Size: 2048

Do you wish to change any of these options? [y/N] # "N"を入力してください

Provide a password for the "http.p12" file:  [ for none]
#Enterを押してください。

What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]
# "/etc/elasticsearch/certs/ssl-http.zip"と入力してください

#以下のコマンドを入力してください。
$ sudo /usr/share/elasticsearch/bin/elasticsearch-keystore add -f xpack.security.http.ssl.keystore.secure_password
Enter value for xpack.security.http.ssl.keystore.secure_password:  #何も入力せずEnterを押します。


# ここまでで証明書の発行作業は完了です。
# 次に証明書の設定作業を行います。

sudo unzip /etc/elasticsearch/certs/ssl-http.zip
sudo mv elasticsearch/http.p12 /etc/elasticsearch/certs/node1-http.p12
sudo mv kibana/elasticsearch-ca.pem /etc/kibana/certs/elasticsearch-ca.pem
sudo chown root:elasticsearch /etc/elasticsearch/certs/node1-http.p12 
sudo chmod 660 /etc/elasticsearch/certs/node1-http.p12

sudo chown root:kibana /etc/kibana/certs/elasticsearch-ca.pem
sudo chmod 660 /etc/kibana/certs/elasticsearch-ca.pem

sudo mkdir /etc/td-agent/certs
sudo cp /etc/elasticsearch/certs/ca/ca.crt /etc/td-agent/certs/ca.crt
sudo chown root:td-agent /etc/td-agent/certs/ca.crt
sudo chmod 660 /etc/td-agent/certs/ca.crt

### 以下のコマンドを実行しログインパスワードを確認してください。
cat install.log | grep "The generated password" | awk '{print $11}'
### 表示されたパスワードは控えておいてください。PASS③

# 以上で証明書の作業は完了です。
# 以下のスクリプトを実行しサービスを起動させます。
sudo ./run.sh 2>&1 | tee -a ./install.log
#実行時にパスワードの入力が求められます。PASS③を入力してください。

# 各サービスが正常に起動したら、以下のスクリプトを実行してください。
sudo ./setting.sh 2>&1 | tee -a ./install.log
#実行時にパスワードの入力が求められます。PASS③を入力してください。

### スクリプトが完了すると以下のメッセージが表示されます。
**********************
Setting completed.
**********************

# 最後にサービスの再起動を行います。
sudo systemctl restart td-agent

3.Paloalto Configuration

SYSLOG転送設定 ※ログ取得対象機器での作業

ファイアウォールにSyslog送信設定を行います。

(１)．サーバプロファイルの設定

ファイアウォールのCLIで以下のコマンドを実行します。
赤文字の箇所は環境に合わせて選択、入力して下さい。
※PAN-OSのバージョンによって設定内容が異なります

    ## PAN-OS9.1の場合はこちらの設定を行います
    
    > configure
    Entering configuration mode
    [edit]
    #
    set shared log-settings syslog PALallax_profile server PALallax_sv transport <TCP | UDP>
    set shared log-settings syslog PALallax_profile server PALallax_sv port 514
    set shared log-settings syslog PALallax_profile server PALallax_sv format BSD
    set shared log-settings syslog PALallax_profile server PALallax_sv server <PALallax IP address>
    set shared log-settings syslog PALallax_profile server PALallax_sv facility LOG_LOCAL5
  
    set shared log-settings syslog PALallax_profile format threat '@000:"os9.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name"'
  
    set shared log-settings syslog PALallax_profile format traffic '@#000:"os9.1",@#002:"$receive_time",@#003:"$serial",@#004:"$type",@#005:"$subtype",@#007:"$time_generated",@#008:"$src",@#009:"$dst",@#010:"$natsrc",@#011:"$natdst",@#012:"$rule",@#013:"$srcuser",@#014:"$dstuser",@#015:"$app",@#016:"$vsys",@#017:"$from",@#018:"$to",@#019:"$inbound_if",@#020:"$outbound_if",@#021:"$logset",@#023:"$sessionid",@#024:"$repeatcnt",@#025:"$sport",@#026:"$dport",@#027:"$natsport",@#028:"$natdport",@#029:"$flags",@#030:"$proto",@#031:"$action",@#032:"$bytes",@#033:"$bytes_sent",@#034:"$bytes_received",@#035:"$packets",@#036:"$start",@#037:"$elapsed",@#038:"$category",@#040:"$seqno",@#041:"$actionflags",@#042:"$srcloc",@#043:"$dstloc",@#045:"$pkts_sent",@#046:"$pkts_received",@#047:"$session_end_reason",@#048:"$vsys_name",@#049:"$device_name",@#050:"$action_source",@#051:"$src_uuid",@#052:"$dst_uuid",@#053:"$tunnelid",@#054:"$monitortag",@#055:"$parent_session_id",@#056:"$parent_start_time",@#057:"$tunnel",@#058:"$assoc_id",@#059:"$chunks",@#060:"$chunks_sent",@#061:"$chunks_received",@#062:"$rule_uuid",@#063:"$http2_connection",@#064:"$link_change_count",@#065:"$policy_id",@#066:"$link_switches",@#067:"$sdwan_cluster",@#068:"$sdwan_device_type",@#069:"$sdwan_cluster_type",@#070:"$sdwan_site",@#071:"$dynusergroup_name"'
  
    set shared log-settings syslog PALallax_profile format url '@000:"os9.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name"'
  
    set shared log-settings syslog PALallax_profile format data '@000:"os9.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name"'
  
    set shared log-settings syslog PALallax_profile format wildfire '@000:"os9.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name"'
  
    set shared log-settings syslog PALallax_profile format globalprotect '@000:"os9.1",@002:"$receive_time",@003:"$serial",@004:"$seqno",@005:"$actionflags",@006:"$type",@007:"$time_generated",@008:"$vsys",@009:"$eventid",@010:"$stage",@011:"$auth_method",@012:"$tunnel_type",@013:"$srcuser",@014:"$srcregion",@015:"$machinename",@016:"$public_ip",@017:"$public_ipv6",@018:"$private_ip",@019:"$private_ipv6",@020:"$hostid",@021:"$serialnumber",@022:"$client_ver",@023:"$client_os",@024:"$client_os_ver",@025:"$repeatcnt",@026:"$reason",@027:"$error",@028:"$opaque",@029:"$status",@030:"$location",@031:"$login_duration",@032:"$connect_method",@033:"$error_code",@034:"$portal"'

     ## PAN-OS10.1の場合はこちらの設定を行います
     
     > configure
     Entering configuration mode
     [edit]
     #
    set shared log-settings syslog PALallax_profile server PALallax_sv transport <TCP | UDP>
    set shared log-settings syslog PALallax_profile server PALallax_sv port 514
    set shared log-settings syslog PALallax_profile server PALallax_sv format BSD
    set shared log-settings syslog PALallax_profile server PALallax_sv server <PALallax IP address>
    set shared log-settings syslog PALallax_profile server PALallax_sv facility LOG_LOCAL5

    set shared log-settings syslog PALallax_profile format threat '@000:"os10.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app"'
  
    set shared log-settings syslog PALallax_profile format traffic '@#000:"os10.1",@#002:"$receive_time",@#003:"$serial",@#004:"$type",@#005:"$subtype",@#007:"$time_generated",@#008:"$src",@#009:"$dst",@#010:"$natsrc",@#011:"$natdst",@#012:"$rule",@#013:"$srcuser",@#014:"$dstuser",@#015:"$app",@#016:"$vsys",@#017:"$from",@#018:"$to",@#019:"$inbound_if",@#020:"$outbound_if",@#021:"$logset",@#023:"$sessionid",@#024:"$repeatcnt",@#025:"$sport",@#026:"$dport",@#027:"$natsport",@#028:"$natdport",@#029:"$flags",@#030:"$proto",@#031:"$action",@#032:"$bytes",@#033:"$bytes_sent",@#034:"$bytes_received",@#035:"$packets",@#036:"$start",@#037:"$elapsed",@#038:"$category",@#040:"$seqno",@#041:"$actionflags",@#042:"$srcloc",@#043:"$dstloc",@#045:"$pkts_sent",@#046:"$pkts_received",@#047:"$session_end_reason",@#048:"$vsys_name",@#049:"$device_name",@#050:"$action_source",@#051:"$src_uuid",@#052:"$dst_uuid",@#053:"$tunnelid",@#054:"$monitortag",@#055:"$parent_session_id",@#056:"$parent_start_time",@#057:"$tunnel",@#058:"$assoc_id",@#059:"$chunks",@#060:"$chunks_sent",@#061:"$chunks_received",@#062:"$rule_uuid",@#063:"$http2_connection",@#064:"$link_change_count",@#065:"$policy_id",@#066:"$link_switches",@#071:"$dynusergroup_name",@#072:"$xff_ip",@#073:"$src_category",@#074:"$src_profile",@#075:"$src_model",@#076:"$src_vendor",@#077:"$src_osfamily",@#078:"$src_osversion",@#079:"$src_host",@#080:"$src_mac",@#081:"$dst_category",@#082:"$dst_profile",@#083:"$dst_model",@#084:"$dst_vendor",@#085:"$dst_osfamily",@#086:"$dst_osversion",@#087:"$dst_host",@#088:"$dst_mac",@#089:"$container_id",@#090:"$pod_namespace",@#091:"$pod_name",@#092:"$src_edl",@#093:"$dst_edl",@#094:"$hostid",@#095:"$serialnumber",@#096:"$src_dag",@#097:"$dst_dag",@#098:"$session_owner",@#099:"$high_res_timestamp",@#100:"$nssai_sst",@#101:"$nssai_sd",@#102:"$subcategory_of_app",@#103:"$category_of_app",@#104:"$technology_of_app",@#105:"$risk_of_app",@#106:"$characteristic_of_app",@#107:"$container_of_app",@#108:"$is_saas_of_app",@#109:"$sanctioned_state_of_app",@#110:"$offloaded"'

    set shared log-settings syslog PALallax_profile format url '@000:"os10.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app"'

    set shared log-settings syslog PALallax_profile format data '@000:"os10.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app"'

    set shared log-settings syslog PALallax_profile format wildfire '@000:"os10.1",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app"'
    
    set shared log-settings syslog PALallax_profile format globalprotect '@000:"os10.2",@002:"$receive_time",@003:"$serial",@004:"$seqno",@005:"$actionflags",@006:"$type",@007:"$time_generated",@008:"$vsys",@009:"$eventid",@010:"$stage",@011:"$auth_method",@012:"$tunnel_type",@013:"$srcuser",@014:"$srcregion",@015:"$machinename",@016:"$public_ip",@017:"$public_ipv6",@018:"$private_ip",@019:"$private_ipv6",@020:"$hostid",@021:"$serialnumber",@022:"$client_ver",@023:"$client_os",@024:"$client_os_ver",@025:"$repeatcnt",@026:"$reason",,@027:"$error",@028:"$opaque",@029:"$status",@030:"$location",@031:"$login_duration",@032:"$connect_method",@033:"$error_code",@034:"$portal",@034:"$selection_type",@035:"$response_time",@036:"$priority",@037:"$attempted_gateways",@038:"$gateway",@039:"$vsys_name",@040:"$device_name",@041:"$vsys_id"'

      ## PAN-OS10.2の場合はこちらの設定を行います
      
      > configure
      Entering configuration mode
      [edit]
      #
     set shared log-settings syslog PALallax_profile server PALallax_sv transport <TCP | UDP>
     set shared log-settings syslog PALallax_profile server PALallax_sv port 514
     set shared log-settings syslog PALallax_profile server PALallax_sv format BSD
     set shared log-settings syslog PALallax_profile server PALallax_sv server <PALallax IP address>
     set shared log-settings syslog PALallax_profile server PALallax_sv facility LOG_LOCAL5
 
     set shared log-settings syslog PALallax_profile format threat '@000:"os10.2",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app",@0114:"$cloud_reportid"'
   
     set shared log-settings syslog PALallax_profile format traffic '@#000:"os10.2",@#002:"$receive_time",@#003:"$serial",@#004:"$type",@#005:"$subtype",@#007:"$time_generated",@#008:"$src",@#009:"$dst",@#010:"$natsrc",@#011:"$natdst",@#012:"$rule",@#013:"$srcuser",@#014:"$dstuser",@#015:"$app",@#016:"$vsys",@#017:"$from",@#018:"$to",@#019:"$inbound_if",@#020:"$outbound_if",@#021:"$logset",@#023:"$sessionid",@#024:"$repeatcnt",@#025:"$sport",@#026:"$dport",@#027:"$natsport",@#028:"$natdport",@#029:"$flags",@#030:"$proto",@#031:"$action",@#032:"$bytes",@#033:"$bytes_sent",@#034:"$bytes_received",@#035:"$packets",@#036:"$start",@#037:"$elapsed",@#038:"$category",@#040:"$seqno",@#041:"$actionflags",@#042:"$srcloc",@#043:"$dstloc",@#045:"$pkts_sent",@#046:"$pkts_received",@#047:"$session_end_reason",@#048:"$vsys_name",@#049:"$device_name",@#050:"$action_source",@#051:"$src_uuid",@#052:"$dst_uuid",@#053:"$tunnelid",@#054:"$monitortag",@#055:"$parent_session_id",@#056:"$parent_start_time",@#057:"$tunnel",@#058:"$assoc_id",@#059:"$chunks",@#060:"$chunks_sent",@#061:"$chunks_received",@#062:"$rule_uuid",@#063:"$http2_connection",@#064:"$link_change_count",@#065:"$policy_id",@#066:"$link_switches",@#071:"$dynusergroup_name",@#072:"$xff_ip",@#073:"$src_category",@#074:"$src_profile",@#075:"$src_model",@#076:"$src_vendor",@#077:"$src_osfamily",@#078:"$src_osversion",@#079:"$src_host",@#080:"$src_mac",@#081:"$dst_category",@#082:"$dst_profile",@#083:"$dst_model",@#084:"$dst_vendor",@#085:"$dst_osfamily",@#086:"$dst_osversion",@#087:"$dst_host",@#088:"$dst_mac",@#089:"$container_id",@#090:"$pod_namespace",@#091:"$pod_name",@#092:"$src_edl",@#093:"$dst_edl",@#094:"$hostid",@#095:"$serialnumber",@#096:"$src_dag",@#097:"$dst_dag",@#098:"$session_owner",@#099:"$high_res_timestamp",@#100:"$nssai_sst",@#101:"$nssai_sd",@#102:"$subcategory_of_app",@#103:"$category_of_app",@#104:"$technology_of_app",@#105:"$risk_of_app",@#106:"$characteristic_of_app",@#107:"$container_of_app",@#108:"$is_saas_of_app",@#109:"$sanctioned_state_of_app",@#110:"$offloaded"'
 
     set shared log-settings syslog PALallax_profile format url '@000:"os10.2",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app",@0114:"$cloud_reportid"'
 
     set shared log-settings syslog PALallax_profile format data '@000:"os10.2",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app",@0114:"$cloud_reportid"'
 
     set shared log-settings syslog PALallax_profile format wildfire '@000:"os10.2",@002:"$receive_time",@003:"$serial",@004:"$type",@005:"$subtype",@007:"$time_generated",@008:"$src",@009:"$dst",@010:"$natsrc",@011:"$natdst",@012:"$rule",@013:"$srcuser",@014:"$dstuser",@015:"$app",@016:"$vsys",@017:"$from",@018:"$to",@019:"$inbound_if",@020:"$outbound_if",@021:"$logset",@023:"$sessionid",@024:"$repeatcnt",@025:"$sport",@026:"$dport",@027:"$natsport",@028:"$natdport",@029:"$flags",@030:"$proto",@031:"$action",@032:$misc,@033:"$threatid",@034:"$category",@035:"$severity",@036:"$direction",@037:"$seqno",@038:"$actionflags",@039:"$srcloc",@040:"$dstloc",@042:"$contenttype",@043:"$pcap_id",@044:"$filedigest",@045:"$cloud",@047:$user_agent,@048:"$filetype",@049:"$xff",@050:"$referer",@051:"$sender",@052:"$subject",@053:"$recipient",@054:"$reportid",@055:"$vsys_name",@056:"$device_name",@057:"$src_uuid",@058:"$dst_uuid",@059:"$http_method",@060:"$tunnelid",@061:"$monitortag",@062:"$parent_session_id",@063:"$parent_start_time",@064:"$tunnel",@065:"$thr_category",@066:"$contentver",@067:"$assoc_id",@068:"$ppid",@069:"$http_headers",@070:"$url_category_list",@071:"$rule_uuid",@072:"$http2_connection",@073:"$dynusergroup_name",@074:"$xff_ip",@075:"$src_category",@076:"$src_profile",@077:"$src_model",@078:"$src_vendor",@079:"$src_osfamily",@080:"$src_osversion",@081:"$src_host",@082:"$src_mac",@083:"$dst_category",@084:"$dst_profile",@085:"$dst_model",@086:"$dst_vendor",@087:"$dst_osfamily",@088:"$dst_osversion",@089:"$dst_host",@090:"$dst_mac",@091:"$container_id",@092:"$pod_namespace",@093:"$pod_name",@094:"$src_edl",@095:"$dst_edl",@096:"$hostid",@097:"$serialnumber",@098:"$domain_edl",@099:"$src_dag",@0100:"$dst_dag",@0101:"$partial_hash",@0102:"$high_res_timestamp",@0103:"$reason",@0104:"$justification",@0105:"$nssai_sst",@0106:"$subcategory_of_app",@0107:"$category_of_app",@0108:"$technology_of_app",@0109:"$risk_of_app",@0110:"$characteristic_of_app",@0111:"$container_of_app",@0112:"$is_saas_of_app",@0113:"$sanctioned_state_of_app",@0114:"$cloud_reportid"'
     
     set shared log-settings syslog PALallax_profile format globalprotect '@000:"os10.2",@002:"$receive_time",@003:"$serial",@004:"$seqno",@005:"$actionflags",@006:"$type",@007:"$time_generated",@008:"$vsys",@009:"$eventid",@010:"$stage",@011:"$auth_method",@012:"$tunnel_type",@013:"$srcuser",@014:"$srcregion",@015:"$machinename",@016:"$public_ip",@017:"$public_ipv6",@018:"$private_ip",@019:"$private_ipv6",@020:"$hostid",@021:"$serialnumber",@022:"$client_ver",@023:"$client_os",@024:"$client_os_ver",@025:"$repeatcnt",@026:"$reason",,@027:"$error",@028:"$opaque",@029:"$status",@030:"$location",@031:"$login_duration",@032:"$connect_method",@033:"$error_code",@034:"$portal",@035:"$selection_type",@036:"$response_time",@037:"$priority",@038:"$attempted_gateways",@039:"$gateway",@040:"$vsys_name",@041:"$device_name",@042:"$vsys_id"'

WebUI上では以下のように変更されます。

[DEVICE] > [Server Profiles] > [Syslog]

(2). ログ転送プロファイルの設定

PALallaxに送信するログのタイプに、上記（１）で設定したプロファイルを適用します。

[OBJECTS] > [Log Forwarding]

(3). 対象のセキュリティポリシーに、上記（２）で設定したプロファイルを適用します。

[POLICIES] > [Security] > ポリシーを選択 > [Actions]

(4). GlobalProtecログ設定

上記（１）で設定したServer Profileを適用します。

[DEVICE] > [Log Seetings]

4.Fortigate Configuration

Fortigateのログを取り込まない場合は本手順をスキップしてください。

SYSLOG転送設定 ※ログ取得対象機器での作業

ログ取得対象機器にSyslog送信設定を行います。
※以下は現在対応しているFortiGateでの設定です

  
  hostname # config log syslogd setting
  hostname(setting) # set status enable
  hostname(setting) # set server   <LForM IP address>
  hostname(setting) # set facility local6
  hostname(setting) # set mode upd # tcpで送る場合は"reliable"

5.Nozomi Configuration

Nozomiのログを取り込まない場合は本手順をスキップしてください。

 
            
            ### 以下のコマンドを実行してください。
            $ sudo sed -i -e "s/nozomi_host nozomi_ip/nozomi_host $Your_ip/g" /etc/td-agent/td-agent.conf
            # $Your_ipの部分をNozomiのIPアドレスに置き換えてください

            $ sudo sed -i -e "s/nozomi_pass admin_pass/nozomi_pass $Your_admin_pass/g" /etc/td-agent/td-agent.conf
            # $Your_admin_passをNozomiのadminパスワードに置き換えてください

            $ sudo systemctl restart td-agent

Nozomiにアクセスします。

右上の「管理メニュー」から「データインテグレーション」をクリックします

右上の「追加」をクリックします

エンドポイントを追加します。

・エンドポイント設定：Common Event Format(CEF)
・TLS：無効
・接続先URI：tcp://"Your IP":514 ※1
・”アラートの送信を有効にする”にチェック ※2
・”監査ログの送信を有効にする”にチェック ※2
・”ヘルスログの送信を有効にする”にチェック ※2
※1 "Your IP"をLForMサーバのIPに置き換えてください
※2 送信するログは必要に応じてチェックを外してください

6.Confirmation

Visit http://"PALallax IP":5601

ユーザ名は"elastic"、パスワードはPASS③を入力してください。

よくあるご質問(FAQ)

こちらのページをご覧ください。

Tips

PALallaxのTipsは下記技術ブログをご覧ください。

ライセンス

PALallaxは Apache License version 2.0で提供しています。

PALallaxをご利用いただいた時点で、以下のご利用規約に同意いただけたものといたします。

English : http://www.ap-com.co.jp/ja/paloalto/palallax/consent_en.html
Japanese : http://www.ap-com.co.jp/ja/paloalto/palallax/consent.html

Contact Us

PALallaxに関するお問い合わせは、下記フォームからをお願いします。
デモのご依頼も下記よりお願いいたします。

お問い合わせフォーム