vRealize Log Insight collects syslog messages from Check Point and Palo Alto firewalls. After you add the vRealize Log Insight data source in vRealize Network Insight, the dropped flow notifications for these firewall devices are shown in vRealize Network Insight.

When the firewall devices are configured to send syslog messages to vRealize Log Insight and when any policy is affected on these devices, vRealize Log Insight filters deny/drop action messages and sends notification to vRealize Network Insight. vRealize Network Insight consumes these notifications and creates dropped flow events with firewall and flow details.

Prerequisites

Ensure that you have the API user permissions to install, configure, and manage the content pack.

Install the content pack and enable alerts.

Procedure

  1. Create or reuse a vRealize Log Insight user with access to the APIs of vRealize Log Insight.
  2. Go to Settings > Accounts and Data Sources.
  3. Click Add Source.
  4. Click Log Insight under Log Servers.
  5. On the Add a New Log Insight Server Account or Source page, click Instructions next to the page title. A pop-up window appears providing the prerequisites for adding the vRealize Log Insight data source and the instructions to enable the Webhook URL on vRealize Log Insight. The pop-up window on vRealize Network Insight displaying the prerequisites for adding the vRealize Log Insight data source.
  6. Enter the required details.
    Name Description
    Collector VM Select the IP address of the data collector that you have deployed for the data collection process.
    IP Address / FQDN Enter the IP address or the FQDN of the data source.
    User Name Enter the user name you want to use for a particular data source.
    Password Enter the password for the data source.
    Authentication Provider Select the respective authentication provider for the credentials that you have provided.
  7. After the data source is created, a pop-up window is displayed providing the webhook URL and the steps that have to be performed to enable this URL on vRealize Log Insight. Copy the Webhook URL. The popup window displays the Webhook URL and the steps to enable the URL on vRealize Log Insight.
    Note: The Webhook URL, which is generated after the addition of the data source, is used in vRealize Log Insight.
  8. Log in to vRealize Log Insight with the credentials that were used for adding this data source. Enable alerts in the vRealize Log Insight application and select the preconfigured Webhook. To ensure that the integration is successful, click Send Test Alert. The vRealize Log Insight user interface displays options to enable alerts and select the preconfigured Webhook.