Prisma SD-WAN

Prerequisites

The Prisma SD-WAN ION devices must be configured to send logs to LogZilla for these rules to work properly.

Configure Syslog Export for Events and Authentication

Navigate to Configure > Network & Security > Syslog
Click Add to create a new syslog server profile
Enter your LogZilla server details:
- Server: LogZilla server IP address
- Port: 514 (UDP) or 1514 (TCP)
- Facility: daemon
- Severity: info or higher
Enable the following log types:
- Events: System events and alarms
- Authentication: User login/logout events
Save and commit the configuration

Configure Flow Export (Optional)

For network flow analysis, configure IPFIX or Syslog flow export:

Navigate to Configure > Network & Security > Flow Export
Select Syslog Flow Export for LogZilla compatibility
Configure the export settings:
- Destination: LogZilla server IP
- Port: 514
- Format: RFC 5424 with CSV body
Enable flow export on desired interfaces
Save and commit the configuration

Expected Log Formats

The app processes three types of Prisma SD-WAN logs:

Event Logs:

text
CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:36:49.000" STATUS="Not cleared" CODE="DEVICESW_GENERAL_PROCESSRESTART" SEVERITY="minor" PROCESS_NAME="event_forward" ELEMENT_ID="15174644824510129"

Authentication Logs:

text
CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:44:58.881Z" MSG="sshd-login keyboard-interactive/pam" SEVERITY="minor" PROCESS_NAME="sshd" FACILITY="auth" USER="elem-admin" ELEMENT_ID="15174644824510129"

Flow Logs:

text
<13>1 2020-01-28T23:46:17.000035+00:00 T1S3_SPOKE1 cgxFlowLogV1 13593 - - 2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,15,23,1024,2048,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1