Palo Alto Panorama Traffic logs
Palo Alto Panorama is a centralized management system for Palo Alto Networks’ firewalls. Its Traffic logs provide detailed information about network traffic, including source and destination IP addresses, application usage, and session details, which can be used for monitoring and analyzing network activity.
Ingestion Methods
Setup the ingestion of this source using one of the following guides.
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_palopanotrafCollecting logs in a bucket
Palo alto panorama traffic logs are loaded from S3. You will need to forward your logs to a bucket prior to collecting them with RunReveal.
Use the following config example in reveald to forward panorama syslogs to your S3 bucket.
{
"sources": {
"hostlogs": {
"type": "file",
"path": "/var/log/syslog/",
"extension": ".log",
},
},
"destinations": {
"runreveal-store": {
"type": "s3",
"bucketName": "runreveal-bucket",
"bucketRegion": "us-west-2",
"accessKeyID": "ACCESSKEY",
"secretAccessKey": "SECRET"
},
},
}Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: panorama_traffic_logs (78 columns)
panorama_traffic_logs (78 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String |
tags | Map(String |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
rawLog | String |
ReceiveTime | DateTime |
SerialNumber | String |
LogType | String |
Subtype | String |
| Column | Type |
|---|---|
TimeGenerated | DateTime |
SrcAddr | String |
DstAddr | String |
NatSrcAddr | String |
NatDstAddr | String |
RuleName | String |
SrcUser | String |
DstUser | String |
App | String |
Vsys | String |
From | String |
To | String |
InboundIf | String |
OutboundIf | String |
LogSet | String |
SessionID | UInt32 |
RepeatCnt | UInt32 |
SrcPort | UInt32 |
DstPort | UInt32 |
NatSrcPort | UInt32 |
NatDstPort | UInt32 |
Flags | String |
Proto | String |
Action | String |
Bytes | UInt32 |
BytesSent | UInt32 |
BytesReceived | UInt32 |
Packets | UInt32 |
StartTime | DateTime |
ElapsedTime | UInt32 |
Category | String |
SeqNo | UInt32 |
ActionFlags | String |
SrcLoc | String |
DstLoc | String |
PktsSent | UInt32 |
PktsReceived | UInt32 |
SessionEndReason | String |
DeviceName | String |