Views:

Configure log sources to send third-party logs in Common Event Format (CEF) syslog format to Trend Vision One for analysis and correlation.

Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.

Procedure

  1. Install the Third-Party Log Collection Service on a Service Gateway virtual appliance.
    1. Go to Workflow and AutomationService Gateway Management.
    2. Click the name of the Service Gateway you want to manage.
      Note
      Note
      Make sure that your selected Service Gateway virtual appliance meets the minimum specifications required to support the Third-Party Log Collection Service. The minimum requirements are 1 virtual CPU and 128 MB of virtual memory, which supports sending 30,000 logs per second.
      When configuring multiple services, you must allocate the minimum virtual CPU and virtual memory requirement per service to ensure proper functionality.
      For more information, see Service Gateway appliance system requirements.
      If you have no existing Service Gateways, you must first deploy a Service Gateway.
      The Service Gateway screen appears.
    3. Click Manage Services.
      The Manage Services window appears.
    4. Find the Third-Party Log Collection Service and click the install icon (installService=6a80f6d7-0cae-4a25-9c85-0c61f996b89a.png).
      For more information, see Managing services in Service Gateway.
    The Third-Party Log Collection Service is installed on the Service Gateway.
  2. If the third-party log source needs to validate the Service Gateway certificate, upload a certificate to the virtual appliance.
    • Only PKCS#1 certificates are supported.
    • The certificate must contain both RSA PRIVATE KEY and CERTIFICATE.
    1. To ensure that the private key is not encrypted, use the following script to decrypt and regenerate the certificate PEM file before importing:
      #!/bin/bash

# Check if exactly 2 parameters are provided
if [ "$#" -ne 2 ]; then
    echo "Warning: You must provide exactly 2 parameters."
    echo "Usage: $0 <<original>>.pem <<decrypted>>.pem"
    exit 1
fi

# Parameters
INPUT_PEM=$1
OUTPUT_PEM=$2

TEMP_CERT="temp_cert.pem"
TEMP_KEY="temp_key_encrypted.pem"
TEMP_KEY_DEC="temp_key_decrypted.pem"

# extract cert
openssl x509 -in "$INPUT_PEM" -out "$TEMP_CERT"

# extract key
openssl pkey -in "$INPUT_PEM" -out "$TEMP_KEY"

# decrypt key
openssl rsa -in "$TEMP_KEY" -out "$TEMP_KEY_DEC"

# combine cert and decrypt key into new PEM
cat "$TEMP_CERT" "$TEMP_KEY_DEC" > "$OUTPUT_PEM"
# clear temp
rm "$TEMP_CERT" "$TEMP_KEY" "$TEMP_KEY_DEC"

echo "New pem generated.New filename = "$OUTPUT_PEM"
    2. Confirm that the certificate format is as follows:
      -----BEGIN CERTIFICATE-----
(base64....)
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
(base64....)
-----END PRIVATE KEY-----
    3. In Service Gateway Management, click the Configure settings icon (configure=GUID-657DB993-ADC7-4DEC-8C62-C8739D74760E.png) next to the Service Gateway.
      The Service Gateway Settings window appears.
    4. Click Import certificate.
    5. Click Select file… and select your certificate file.
    6. Click Import.
      For more information, see Configuring Service Gateway settings.
    7. Click Save.
      The certificate is uploaded to the virtual appliance.
  3. Add a log source to Third-Party Log Collection.
    1. Go to Workflow and AutomationThird-Party Integration.
    2. Click Third-Party Log Collection.
    3. Click + Add Log Source.
      The Log Source Settings window appears.
    4. Configure settings for the new log source:
      • Specify a Name for the log source.
      • Select a Service Gateway virtual appliance from the drop-down menu.
        Note
        Note
        Only Service Gateways with the Third-Party Log Collection Service installed appear in the list.
      • Make sure that the log source has at least one log collector configured.
        If none exist, add a log collector.
    5. Specify Sender IP addresses for the third-party logs, using commas to separate multiple values.
    6. Click Save.
  4. On the third-party platform, configure the log source to send third-party logs to Trend Vision One.
    Logs are sent in CEF format via Transport Layer Security (TLS) to the IP address and port of the selected Service Gateway appliance.
    For details on configuring the Palo Alto Networks Next-Generation Firewall integration, see Palo Alto Networks documentation.
    Third-party logs become available in the Search app. Third-party log sources can only send logs generated after connecting to Trend Vision One. You might need to allow some time before new logs start to appear.
  5. Verify log ingestion in Service Gateway Management.
    1. Go to Workflow and AutomationService Gateway Management.
    2. Click the Service Gateway selected for the new log source.
    3. Go to Connected Products/Server.
    4. Click Third-Party Log Collection Service to view the service status.
  6. Go to the Search app to view collected third-party logs.
Related information