Does anyone have an example of a working configuration to receive Palo Alto logs over HTTPS?

vupham

Does anyone have an example of a working configuration to receive Palo Alto logs over HTTPS?

Tony Reinke - Cribl

Currently only auth tokens are supported. ( https://docs.cribl.io/stream/sources-raw-http/#authentication-settings ). If you are on Cribl Community Slack, you can add a feature request for username and password authentication.

Tony Reinke - Cribl

Are you trying to send the logs via a webhook or to the Cribl HTTP(s) RAW? What format are you trying to use?

vupham

We were trying PAN OS's built-in http log forwarding in the below doc.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/forward-logs-to-an-https-destination

Where we run into issues is setting up the server profile on the firewall. Contrary to the doc, the modal requires a username and password in order to save. Running the connection test is successful without the credentials, however providing server credentials causes the test to fail. There does not seem to be corresponding auth settings in Cribl's raw http source. Proceeding with the intentionally unknown credentials fails when trying to send a test log.

It seems to be more of a problem with configuring the source firewalls rather than something in Cribl. Ran into a wall pursuing support on that end. And no urgency or appetite to try to make this work.

Tony Reinke - Cribl

Currently only auth tokens are supported. ( https://docs.cribl.io/stream/sources-raw-http/#authentication-settings ). If you are on Cribl Community Slack, you can add a feature request for username and password authentication.