SUMMARY
May 15, 2017
Palo Alto Networks firewalls can be configured to send log data to Snare Central for collection, analysis and reporting.
The Snare Server collection subsystem is quite flexible, and is capable of dealing with a wide range of custom LEEF formats.
Some links to the Paloalto site that can help with configuration of your firewall can be found here.
These are the templates you load in.
The following fields are separated out, and are available as individually accessible indexed data within the Snare Central user interface:
...
Other LEEF fields will be grabbed from the event, and incorporated into the catch-all "String" field, from which data can be extracted via Snare Central's TOKEN capabilities, if required.
...
Configuration Instructions
In order to configure your PAN firewall to send data to a Snare Central server:
...
Note: Depending on your firewall policies, you may need to create a firewall rule in order to allow syslog messages to exit the PAN firewall to the Snare Central Server. The Snare Central server includes an internal firewall, but will allow syslog messages to arrive on port 514 by default.
...
NOTE: Snare Central previously known as Snare Server
...