Read Me

Log alerting via email is all well and good. Though, the real sauce is getting it into your Webex space! Who doesn’t love hearing those crescendos of beeps?!

Though this blog primarily aims to generate HTTP Post events for System logs, you could apply it for Configuration logs or User-ID logs. Again, though we are configuring Panorama for sending HTTP messages, replicate the steps for any managed or unmanaged PAN firewalls.

Prerequisite Tasks

Before you race off, ensure you have the following sorted to avoid any fretting:

A Cisco Webex account.
A Cisco Webes space.
Administrative or privileged access to configure HTTP and Log Settings on your PAN devices.

Cisco Webex

This section covers creating a Cisco Webx bot, grabbing its token and finding the coveted roomId.

Creating a Bot

Visit and log in to https://developer.webex.com/my-apps/new/bot.
Set your Webex bot a name, username, an optional icon and description. Click Add Bot when you’re happy.
Note down the bot username as you’ll need it for later.
Copy and save the Bot Access token. Once you click the Copy Token button, you will never see it again (other than by regenerating a new access token).
We will need the access token for later with PAN-OS.
If you lose your token, visit https://developer.webex.com/my-apps, select the bot in question, and click Regenerate Access Token.
screenshot to regenerate access token……
Finally, add the bot to the space you’re part of. This is a critical step. Otherwise, your bot won’t be able to post messages to that space.

Finding the Room ID

With the bot created, we can move on to obtaining the roomID. The roomID is simply the space’s unique identifier and lets the bot know where to post messages.

Note

Ensure you and your bot are in the space you are trying to find.

To grab a roomId of a space we do the following:

Visit Webex API to list rooms at https://developer.webex.com/docs/api/v1/rooms/list-rooms.
Click Run.
No need to provide any query parameters unless you happen to be a member of over 3,000 spaces.
The API hopefully returns all the spaces you’re part of. Find the space you wish and copy its id.
Find the space you want and copy its id.

PAN-OS

Now that we have our Webex bot, its access token and the space’s roomID, we are ready to set up the Palo side to which are two parts:

Creating an HTTP Server Profile
Set the log settings

HTTP Server Profile

Though I am configuring this in Panorama, these steps are the same for the PAN firewalls.

We need to create an HTTP server profile which provides the destination required to send the system logs we want. Head to Device > Server Profiles > HTTP > Add.
Set the server parameters:
- NAME whatever you please.
- ADDRESS as webexapis.com.
- PROTOCOl as HTTPS.
- PORT as 443.
- TLS as 1.2.
- CERTIFICATE PROFILE is not required.
- USERNAME is not required.
- PASSWORD is not required but PAN-OS moans if a password is not set. For this purpose set something randomly.
We don’t require the password field but PAN-OS enforces it.
Test server connectivity by clicking the Test Server Connection button and ensure it succeeds.
Troubleshooting time if fails! Start by verifying your configuration.
Switch to the Payload Format tab and edit the System log type.
- Name whatever-you-wish-to-call-it.
- URI Format as v1/messages.
- HTTP Headers
  - Add header of Cotent-Type and set its value tos application-json
  - Add header of Authorization and set its value to Bearer REPLACE-THIS-TEXT-WITH-BOT-ACCESS-TOKEN.

The payload format is of type JSON therefor our structure needs to follow it! Substitiute thes parameters:

roomID replace for your own.
Text keep empty as we are using markdown.
Markdown take care when making modifications here, as this can break and prevent receiving messages to your space.

{
    "roomId": "Enter_your_roomID_here",

    "text": "",

    "markdown":
        "---\n\n\n # PAN Panorama Event \n\n **Host**: $device_name \n\n **Serial**: $serial \n\n **PAN-OS Version**: $sender_sw_version \n\n **Event ID**: $eventid $object \n\n **Object**: $object \n\n **Detail**: $opaque \n\n**Date & Time**: $receive_time"
}

Your payload format window should look like this.

We are ready to test it out! Go ahead and click on Send Test Log (you may need to press ok both in the Payload Format tab and HTTP Server Profile tab and then possibly a commit before it works).
If the test is sucessfull you’ll have a message sent by your bot to the space.
If successful, you would have already seen and heard that test message come through to the space sent by your bot.
If the test is sucessfull you’ll have a message sent by your bot to the space.

Log Settings

Now we need a destination and filter to send our system logs.

Head over to Log Settings > Click Add to create a new System log setting and fill in the following parameters:
- Name as you please.
- Filter of your choice (check next step for the Filter Builder).
- HTTP select the previously created HTTP profile.
In time you’ll tweak the log filter to your preferences.
Be mindful that you should monitor your system logs for other events that aren’t necessarily severity-type critical but are still vital to you. For example, suppose you want to be alerted of HA1 link changes. You must include (eventid eq ha1-link-change) as part of your filter since PAN-OS only recognises this as severity-type informational. Thus your filter would now look like this (severity eq critical) or (eventid eq ha1-link-change).
Keep an eye out in system logs for any logs of interest to add to your filter.

Send Palo Alto Networks Logs as Alerts to Cisco Webex Spaces

Read Me

Prerequisite Tasks

Cisco Webex

Creating a Bot

Finding the Room ID

PAN-OS

HTTP Server Profile

Log Settings

Resources

Read Me#

Prerequisite Tasks#

Cisco Webex#

Creating a Bot#

Finding the Room ID#

PAN-OS#

HTTP Server Profile#

Log Settings#

Resources#

Read Me

Prerequisite Tasks

Cisco Webex

Creating a Bot

Finding the Room ID

PAN-OS

HTTP Server Profile

Log Settings

Resources