VMware Aria Operations for Logs collects syslog messages from Check Point and Palo Alto firewalls. After you add the VMware Aria Operations for Logs data source in VMware Aria Operations for Networks, the dropped flow notifications for these firewall devices are shown in VMware Aria Operations for Networks.
Note:
VMware Aria Operations for Networks supports addition of
VMware Aria Operations for Logs 8.0 to 8.8. Make sure you add the supported version of
VMware Aria Operations for Logs as a data source in
VMware Aria Operations for Networks.
When the firewall devices are configured to send syslog messages to VMware Aria Operations for Logs and when any policy is affected on these devices, VMware Aria Operations for Logs filters deny/drop action messages and sends notification to VMware Aria Operations for Networks. VMware Aria Operations for Networks consumes these notifications and creates dropped flow events with firewall and flow details.
Prerequisites
Ensure that you have the API user permissions to install, configure, and manage the content pack.
Install the content pack and enable alerts.
Procedure
- Create or reuse a VMware Aria Operations for Logs user with access to the APIs of VMware Aria Operations for Logs.
- Go to .
- Click Add Source.
- Click Operations for Logs under Log Servers.
- On the Add a New Operations for Logs Server Account or Source page, click Instructions next to the page title. A pop-up window appears providing the prerequisites for adding the VMware Aria Operations for Logs data source and the instructions to enable the Webhook URL on VMware Aria Operations for Logs.
- Enter the required details.
Name |
Description |
Collector VM |
Select the IP address of the data collector that you have deployed for the data collection process. |
IP Address / FQDN |
Enter the IP address or the FQDN of the data source. |
User Name |
Enter the user name you want to use for a particular data source. |
Password |
Enter the password for the data source. |
Authentication Provider |
Select the respective authentication provider for the credentials that you have provided. |
- After the data source is created, a pop-up window is displayed providing the webhook URL and the steps that have to be performed to enable this URL on VMware Aria Operations for Logs. Copy the Webhook URL.
Note: The Webhook URL, which is generated after the addition of the data source, is used in
VMware Aria Operations for Logs.
- Log in to VMware Aria Operations for Logs with the credentials that were used for adding this data source. Enable alerts in the VMware Aria Operations for Logs application and select the preconfigured Webhook. To ensure that the integration is successful, click Send Test Alert.