Forwarding Firewall Logs to Wazuh Manager

From Notes_Wiki

Home > Wazuh > Forwarding Palo Alto Firewall Logs to Wazuh Manager

Overview

This article explains how to configure a Palo Alto Firewall to send logs directly to the Wazuh Manager (acting as a syslog server), and how to parse them using custom decoders and rules in Wazuh.

Prerequisites

  • Wazuh Manager installed
  • Palo Alto firewall reachable from Wazuh
  • UDP port (e.g., 5141) open on Wazuh
  • Syslog configuration enabled on firewall

Step 1: Wazuh Manager Syslog Configuration

1.1 Edit ossec.conf

Edit Wazuh Manager's /var/ossec/etc/ossec.conf configuration file: 

<ossec_config>
  <remote>
    <connection>syslog</connection>
    <port>5141</port>
    <protocol>udp</protocol>
    <allowed-ips>183.82.0.0/16</allowed-ips>
    <local_ip>172.30.27.202</local_ip>
  </remote>
</ossec_config>

Restart the manager: 

sudo systemctl restart wazuh-manager

Step 2: Palo Alto Syslog Forwarding

2.1 Syslog Server Profile

Navigate to: Device > Server Profiles > Syslog

Add a new profile:

  • Name: WazuhSyslog
  • Server: 172.30.27.202
  • Port: 5141
  • Facility: LOG_USER

2.2 Log Forwarding

Go to: Device > Log Settings > System

Click Add:

  • Select the created Syslog profile
  • Choose All logs or select severities

Commit the configuration

Step 3: Example Log

Sample log received: 

Jul 30 07:08:36 GBB-FW-001 2025/07/30 07:08:36 TRAFFIC DMZ WAN 172.31.1.152 170.187.232.68 allow LAN-2-WAN-Zabbix tcp-fin

Step 4: Decoder Configuration

4.1 Create Custom Decoder File

Path: /var/ossec/etc/decoders/0200-paloalto-traffic.xml 

<decoder name="paloalto-gbb-traffic">
  <prematch>TRAFFIC</prematch>
</decoder>

<decoder name="paloalto-traffic">
  <parent>paloalto-gbb-traffic</parent>
  <regex offset="after_parent" type="pcre2">
    \s+(\S+)\s+(\S+)\s+(\d{1,3}(?:\.\d{1,3}){3})\s+(\d{1,3}(?:\.\d{1,3}){3})\s+(\S+)\s+(\S+)\s+
  </regex>
  <order>src_zone,dst_zone,srcip,dstip,action_new,policy,reason</order>
</decoder>

Explanation

  • Decoder-1: `<decoder name="paloalto-gbb-traffic">`
    • Purpose: Acts as the trigger for all logs that contain the word `TRAFFIC`.
    • <prematch>: If the word `TRAFFIC` exists in the log line, this decoder is invoked.
  • Decoder-2: `<decoder name="paloalto-traffic">`
    • <parent>: Inherits from the first decoder.
    • <regex>: Uses PCRE2 (Perl-compatible regex) to extract fields after the word `TRAFFIC`.

Decoder Field Mapping

Field Value
src_zone DMZ
dst_zone WAN
srcip 172.31.1.152
dstip 170.187.232.68
action_new allow
policy LAN-2-WAN-Zabbix
reason tcp-fin

These field names (like `srcip`, `dst_zone`, `action_new`, etc.) are later used in rules.

Step 5: Rule Configuration

5.1 Create Custom Rules File

Path: /var/ossec/etc/rules/0200-paloalto-traffic_rules.xml 

<group name="paloalto,traffic,">
  <rule id="100100" level="5">
    <decoded_as>paloalto-gbb-traffic</decoded_as>
    <description>Palo Alto Traffic: $(srcip) to $(dstip), action=$(action_new), policy=$(policy), reason=$(reason)</description>
    <group>firewall,</group>
  </rule>

  <rule id="100101" level="6">
    <if_sid>100100</if_sid>
    <field name="srcip">172.31.1.152</field>
    <description>The traffic came from $(srcip)</description>
  </rule>
</group>

<group name="firewall,">
  <rule id="100102" level="6">
    <decoded_as>paloalto-gbb-traffic</decoded_as>
    <field name="src_zone">DMZ</field>
    <field name="dst_zone">WAN</field>
    <field name="action_new">allow</field>
    <description>Allowed traffic from DMZ to WAN</description>
  </rule>

  <rule id="100103" level="6">
    <decoded_as>paloalto-gbb-traffic</decoded_as>
    <field name="dstip">167.94.138.144</field>
    <description>Traffic came from the block-listed $(srcip) IP</description>
  </rule>

  <rule id="100104" level="6">
    <decoded_as>paloalto-gbb-traffic</decoded_as>
    <regex field="action_new">allow</regex>
    <description>The traffic is allowed</description>
  </rule>

  <rule id="100105" level="8">
    <decoded_as>paloalto-gbb-traffic</decoded_as>
    <regex field="action_new">deny</regex>
    <description>The traffic is denied</description>
  </rule>
</group>

Rule Descriptions

  • Rule ID 100100 (Base Rule)
    • Triggers on all decoded Palo Alto logs
    • Provides alert with dynamic values like $(srcip), $(dstip), etc.
  • Rule ID 100101 (Specific IP Match)
    • Triggers only if the source IP matches `172.31.1.152`
  • Rule ID 100102 (Zone-Based Match)
    • Matches logs from `DMZ` to `WAN` with action `allow`
  • Rule ID 100103 (IP Watchlist)
    • Matches destination IP of `167.94.138.144`
  • Rules 100104 & 100105 (Action Matching)
    • Detect `allow` or `deny` actions using regex for flexible filtering

Step 6: Testing

Use Wazuh Logtest

/var/ossec/bin/wazuh-logtest

Paste sample log: 

TRAFFIC DMZ WAN 172.31.1.152 170.187.232.68 allow LAN-2-WAN-Zabbix tcp-fin

Check for matched decoder and rules.

Sample Output

**Phase 1: Completed pre-decoding.
	full event: 'TRAFFIC DMZ WAN 172.31.1.152 170.187.232.68 allow LAN-2-WAN-Zabbix tcp-fin'

**Phase 2: Completed decoding.
	name: 'paloalto-gbb-traffic'
	action_new: 'allow'
	dst_zone: 'WAN'
	dstip_fw: '170.187.232.68'
	policy: 'LAN-2-WAN-Zabbix'
	reason: 'tcp-fin'
	src_zone: 'DMZ'
	srcip_fw: '172.31.1.152'

**Phase 3: Completed filtering (rules).
	id: '100102'
	level: '6'
	description: 'Allowed traffic from DMZ to WAN'
	groups: '['firewall']'
	firedtimes: '1'
	mail: 'False'

**Alert to be generated.

Best Practices

  • Use `<if_sid>` to chain rules and reduce false positives.
  • Use regex or Active Responses for dynamic IP lists or ranges.
  • Always test using `wazuh-logtest` before deploying.
  • Keep rule IDs above `100000` to avoid conflicts with built-in Wazuh rules.
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Forwarding_Firewall_Logs_to_Wazuh_Manager&oldid=9356"