Recently I’ve had to switch the Palo Alto connector in Microsoft Sentinel from [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent to [Recommended] Palo Alto Networks (Firewall) via AMA. I decided to go with was building a brand new server that is going to act as a Log Forwarder, instead of repurposing the old Log Forwarder. I needed a clean slate to work with. And more importantly, I did not want to deal with the legacy agent and figuring out how to avoid sending duplicate logs to Sentinel.

High-level Steps

1. Build a brand new Ubuntu 24.04 LTS machine. A version where the AMA agent is supported according to https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-supported-operating-systems.
2. Install Azure Arc on the new Ubuntu machine. (This was only required because we built the server in our Data Center and not Azure.
3. Create a new Collection Rule and add the new Log Forwarder as a Resource.
4. Install the AMA agent on the new Log Forwarder.
5. Configure the Palo Alto Firewall to forward logs to the new Log Forwarder.
6. Run AMA Troubleshooter to confirm it is working.
7. Confirm logs are being fed into Sentinel under the correct CollectorHostName.

Detailed Steps

1- This step is pretty straight forward. It includes building the actual server that is going to act as the Log Forwarder. In this case, we must go with a Linux system. According to Microsoft documentation, “CEF Events logs are collected only from Linux agents.”.

In my case, I went with Ubuntu 24.04 LTS.

2- Since this is a non-Azure Virtual Machine, my immediate next step was configuring Azure Arc. Again, this is a Microsoft requirement; “To collect data from non-Azure VMs, they must have Azure Arc installed and enabled.”

To add a server to Azure Arc, the steps are:

• Navigate to https://portal.azure.com and search for Azure Arc.
• Select Machines under Azure Arc resources.
• Click Add/Create and select Add a machine.
• Under Add a single server, click the blue Generate script button.
• Configure the settings under Basics per your preference and requirements. This includes “Subscription”, “Resource Group”, “Region”, “Operating System”, “Connectivity method”…
• Click Download and run script.
• Move it to the new Log Forwarder (Ubuntu machine in my case) and make it an executable: “sudo chmod +x OnboardingScript.sh”
• Run the script in a terminal window. You have to make sure you are in the same directory where the script was saved and run: “./OnboardingScript.sh”.
• Allow a few minutes after the installation is over and navigate to Azure Arc > Machines.
• Search for your new server by hostname and it should be listed.

3- To create a new Collection Rule and add your new Log Forwarder as a Resource, follow these steps:

• Navigate to https://portal.azure.com and search for Data collection rules.
• Click Create and configure the Basics settings for your new Data Collection Rule.
• Under the Resources tab, click Add resources and select your new machine that you just configured with Azure Arc in step 3.
• Under the Collect and deliver, select Linux Syslog as an option. Then set the type of logs you would like to collect.
• Click Next: Destination> and select Azure Monitor Logs, then you correct Subscription where the Log Analytics Workspace for Sentinel is, then the name of the Log Analytics Workspace itself under Destination details.
• Click Create to create the Data Collection Rule.

4- To install the AMA agent on the new Ubuntu Log Forwarder, do the following:

• Navigate to https://portal.azure.com and search for Microsoft Sentinel.
• Select the correct instance and navigate to Configuration > Data connectors.
• Select Common Event Format (CEF) via AMA, and click Open connector page.
• Copy the command under Run the following command to install and apply the CEF collector: and run it in a Terminal window on the new Log Forwarder machine/server.

5- The next step is configure the Palo Alto to send CEF logs to the new Ubuntu Log Forwarder:

• Login to Panorama.
• Navigate to the Panorama tab.
• Under Server Profiles, select Syslog, and click Add.
• Enter a server profile Name and Location (location refers to a virtual system, if the device is enabled for virtual systems).
• In the Servers tab, click Add and enter a Name, IP address (Syslog Server field), Transport, Port (default 514 for UDP), and Facility (default LOG_USER) for the Syslog server.
• Select the Custom Log Format tab and click any of the listed log types (Config, System, Threat, Traffic, URL, Data, WildFire, Tunnel, Authentication, User-ID, HIP Match) to define a custom format based on the CEF for that log type.
• Modify the default CEF header format to make sure we always have 7 fields in CEF header as Sentinel log analytics agent can only parse fixed header (7 fields in header) a. > For example, log types “Global Protect” have only 6 fields, and SCTP only have 5 fields in the default configuration. We can introduce dummy fields to make sure we have 7 fields
• Click OK twice to save your entries, then click Commit

6- Now we need to configure that the logs are being sent from the Palo to the Log Forwarder and that there are no issues. Run the troubleshooter using this command:

“sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py –cef”

If there are any issues, follow the steps in the troubleshooting logs and resolve them accordingly.

7- Next, we are going to use KQL to confirm the logs are being ingested correctly. Follow these steps:

• Login to security.microsoft.com.
• Navigate to Investigation & response > Hunting > Advanced hunting.
• Run this KQL query and it should 10 recent logs from the Palo Alto:
  • Make sure to replace Host_Name_of_Log_Forwarder_Here with your actual hostname of the new Log Forwarder you just created.

CommonSecurityLog
| where CollectorHostName contains "Host_Name_of_Log_Forwarder_Here"
| take 10 

• If there are no results, allow a few more minutes for everything to sync up. If still no logs, something was configured incorrectly, revisit the steps above and try again,
• Another way you can confirm the connector is up and running is by selecting in Sentinel, and it should look something like this: