Send SYSLOG from Palo Alto to LibreNMS

Step 1 – Configure Server Profile used to send SYSLOG messages to a destination
Note: The Palo Alto Administrators guide states that by default all log data is forwarded over the MGT interface. In addition, we will have to create a Server Profile for external services the firewall will interact with.

From your web based management console navigate to Device -> Server Profiles -> Syslog. You’ll configure the name, ip address or fqdn of the syslog server, port, and format. Typically syslog messages are sent over UDP to port 514 in a BSD format. IETF format is normally used over TCP/SSL.


Step 2 – Enable Log Forwarding
Navigate to Objects -> Log Forwarding.
We create a Log Forwarding Profile that specify ServerProfiles that we will be sending event logs to in the form of SYSLOG and SNMP messages. You can control a severity threshold to define when messages are forwarded out of the palo alto to your log collector.



Step 3 – Add Log Forwarding Profile to a Security Rule
In this example I have created a security rule that governs DNS traffic that is generated in our LAN and is destined for the Internet. My thought is I would like to receive notice when any user on my network tries to resolve a URL while avoiding our internal DNS servers. I edit this “Deny DNS Out” rule, navigating to the Actions Tab where we specify a Log Forwarding Profile created in step 2.


tshark – list udp traffic from a specific host

We can use tshark to view traffic that reaches an interface. In my example I am looking for SYSLOG messages from a firewall destined to my instance of LibreNMS. LibreNMS listens for UDP traffic on port 514 of the eth0 interface from a specific IP address.

We’d like to filter traffic based on source ip address and protocol type.

Specify the interface
-i eth0

Specify the protocol

Specify packet capture count

Write to a file for review

#Use a display filter to limit view to a specific source IP
-R “ip.src==”

Here’s the final product
tshark -i eth0 -O UDP -c 100 -w capture.pcap host a.b.c.d

Cisco Configure DHCP Server

At your central router, Corp, create a pool, specify a DNS server and default gateway that will be provided to clients that are configured using DHCP.

Exclude addresses from the pool before you enable the dhcp pool.

Corp(config)#ip dhcp excluded-address
Corp(config)#ip dhcp pool SF_LAN

Configure the remote router to forward DHCP client requests received on the Fast Ethernet 0/0 interface to an IP address, in our case the Corp router that was just configured above.

LA(config)#int fa0/0
LA(config)#ip helper-address

Serial Connections: DCE & DTE

In a lab environment when you create a serial connection between two routers, keep the following in mind.  Modern Cisco ISR routers can autodetect this and set the clock rate to 2000000.

Determine what connection a router has by issuing sh controllers s0/0/0

You may see a DCE cable connection:

Router#sh controllers s0/0/1
Interface Serial0/0/1
Hardware is PowerQUICC MPC860
DCE V.35, clock rate 1000000

Of you may see a DTE cable connection:

Corp#show controllers s0/0/1
Interface Serial0/0/1
Hardware is PowerQUICC MPC860
DTE V.35 TX and RX clocks detected

Remember, a serial connection with a DCE interface requires that a clock rate be set as the other interface will have a DTE connection that receives the clock rate you set.

You can set the clock rate like so:

Router#conf t

Router(config)#int serial s0/0/0

Router(config-if)#clock rate 1000000



Display Names and Account Names

C:\>dsquery user “OU=FRESHMEN,OU=STUDENTS,DC=GREATSCHOOL,DC=US” -limit 0 | dsget user -samid -display > freshmen.txt

Use this command to list the name and login for all users that belong to a specific OU in a Microsoft Active Directory environment.