...
Some links to the Paloalto site that can help with configuration of your firewall can be found here.
https://docs.paloaltonetworks.com/traps/4-2/traps-endpoint-security-manager-admin/reports-and-logging/forward-logs-to-an-external-logging-platform/enable-log-forwarding-to-an-external-logging-platform.htmlresources/cef
These are the templates you load in .https://docs.paloaltonetworks.com/traps/4-2/traps-endpoint-security-manager-admin/reports-and-logging/forward-logs-to-an-external-logging-platform/leef-format.html for the different versions of the PANOS firewall.
The following fields are separated out, and are available as individually accessible indexed data within the Snare Central user interface:
...
In order to configure your PAN firewall to send data to a Snare Central server:
Log in to the Palo Alto Networks user interface.
Click the Device tab.
Click Server Profiles -> Syslog.
Click Add.
Create a Syslog destination:
In the "Syslog Server Profile" dialog box, click the "Add" button. Enter:The IP Address of the Snare Central server
The destination port (514)
A descriptive name for the destination Snare Central server
Your preferred syslog facility (note: This is not used by the Snare Server collection system for anything of note).
Click OK.
Specify the severity of events that are contained in the syslog messages:
Click Log Setting | System and then click Edit.
Select the check box for each event severity level that you want contained in the syslog message.
Type the name of the syslog destination.
Click OK.
Click the Device tab and then click Commit.
Note: Depending on your firewall policies, you may need to create a firewall rule in order to allow syslog messages to exit the PAN firewall to the Snare Central Server. The Snare Central server includes an internal firewall, but will allow syslog messages to arrive on port 514 by default.
...