vRealize Log Insight collects syslog messages from Check Point and Palo Alto firewalls. After you add the vRealize Log Insight data source in vRealize Network Insight Cloud, the dropped flow notifications for these firewall devices are shown in vRealize Network Insight Cloud.

When the firewall devices are configured to send syslog messages to vRealize Log Insight and when any policy is affected on these devices, vRealize Log Insight filters deny/drop action messages and sends notification to vRealize Network Insight Cloud. vRealize Network Insight Cloud consumes these notifications and creates dropped flow events with firewall and flow details.

Prerequisites

Ensure that you have the API user permissions to install, configure, and manage the content pack.

Install the content pack and enable alerts.

Procedure

  1. Create or reuse a vRealize Log Insight user with access to the APIs of vRealize Log Insight.
  2. Go to Settings > Accounts and Data Sources.
  3. Click Add Source.
  4. Click Log Insight under Log Servers.
  5. On the Add a New Log Insight Server Account or Source page, click Instructions next to the page title. A pop-up window appears that provides the prerequisites for adding the vRealize Log Insight data source and the instructions to enable the Webhook URL on vRealize Log Insight.
  6. Enter the required details.
    Name Description
    Collector VM Select the IP address of the data collector that you have deployed for the data collection process.
    IP Address / FQDN Enter the IP address or the FQDN of the data source.
    User Name Enter the user name you want to use for a particular data source.
    Password Enter the password for the data source.
    Authentication Provider Select the respective authentication provider for the credentials that you have provided.
  7. After the data source has been created, a pop-up window appears that will provide the Webhook URL and the steps that have to be performed to enable this URL on vRealize Log Insight. Copy the Webhook URL.
    Note: The Webhook URL, which is generated after the addition of the data source, is used in vRealize Log Insight.
  8. Log in to vRealize Log Insight with the credentials that were used for adding this data source. Enable alerts in the vRealize Log Insight application and select the preconfigured Webhook. Send Test Alert to ensure that the integration is successful.