VMware Aria Operations for Logs collects syslog messages from Check Point and Palo Alto firewalls. After you add the VMware Aria Operations for Logs data source in VMware Aria Operations for Networks, the dropped flow notifications for these firewall devices are shown in VMware Aria Operations for Networks.

Note: VMware Aria Operations for Networks supports addition of VMware Aria Operations for Logs 8.0 to 8.8. Make sure you add the supported version of VMware Aria Operations for Logs as a data source in VMware Aria Operations for Networks.

When the firewall devices are configured to send syslog messages to VMware Aria Operations for Logs and when any policy is affected on these devices, VMware Aria Operations for Logs filters deny/drop action messages and sends notification to VMware Aria Operations for Networks. VMware Aria Operations for Networks consumes these notifications and creates dropped flow events with firewall and flow details.

Prerequisites

Ensure that you have the API user permissions to install, configure, and manage the content pack.

Install the content pack and enable alerts.

Procedure

  1. Create or reuse a VMware Aria Operations for Logs user with access to the APIs of VMware Aria Operations for Logs.
  2. Go to Settings > Accounts and Data Sources.
  3. Click Add Source.
  4. Click Operations for Logs under Log Servers.
  5. On the Add a New Operations for Logs Server Account or Source page, click Instructions next to the page title. A pop-up window appears providing the prerequisites for adding the VMware Aria Operations for Logs data source and the instructions to enable the Webhook URL on VMware Aria Operations for Logs. The pop-up window on VMware Aria Operations for Networks displaying the prerequisites for adding the VMware Aria Operations for Logs data source.
  6. Enter the required details.
    Name Description
    Collector VM Select the IP address of the data collector that you have deployed for the data collection process.
    IP Address / FQDN Enter the IP address or the FQDN of the data source.
    User Name Enter the user name you want to use for a particular data source.
    Password Enter the password for the data source.
    Authentication Provider Select the respective authentication provider for the credentials that you have provided.
  7. After the data source is created, a pop-up window is displayed providing the webhook URL and the steps that have to be performed to enable this URL on VMware Aria Operations for Logs. Copy the Webhook URL. The popup window displays the Webhook URL and the steps to enable the URL on VMware Aria Operations for Logs.
    Note: The Webhook URL, which is generated after the addition of the data source, is used in VMware Aria Operations for Logs.
  8. Log in to VMware Aria Operations for Logs with the credentials that were used for adding this data source. Enable alerts in the VMware Aria Operations for Logs application and select the preconfigured Webhook. To ensure that the integration is successful, click Send Test Alert. The VMware Aria Operations for Logs user interface displays options to enable alerts and select the preconfigured Webhook.