To send Palo Alto Cortex Data Lake events to QRadar®, you must add a TLS Syslog log source in QRadar and configure Cortex Data Lake to forward logs to a Syslog server.
Procedure
-
Add a log source in QRadar by using the TLS Syslog protocol. For more information, see TLS Syslog log source parameters for Palo Alto PA Series.
Important: If your log source is dedicated only to Cortex Data Lake events, then you
must disable
Use as a Gateway Log Source and set the DSM type to
Palo Alto PA Series. If the log source is shared with multiple integrations,
and you already enabled
Use as a Gateway Log Source, then the
Log
Source Identifier must use the following regex
structure:
<Log Source Identifier>=stream-logfwd.*?logforwarder
-
Forward logs from Cortex Data Lake to QRadar. For more information, see
your Palo Alto documentation
(https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html).
Important:
- When forwarding logs from Cortex Data Lake, choose the LEEF log format.
- You must enable the cat and EventStatus/Status
fields in Palo Alto. The EventStatus/Status field is required to parse
Global Protect events in QRadar.