Log-links – Easy, fast and usable!

If you work with Palo Alto Networks firewalls, then this view is not new to you.

If not, then this is how the Detailed Log View from a standard Traffic log-line looks like. It contains a lot of information and helps you to figure out what has or has not happened.
But how many times have you not copy & pasted IPs, Domain-names or Threat-names/IDs to get more information from external sources?

For me, it’s plenty of times.

So let’s explore a cool feature of PanOS that has been around since the early beginning, and is not getting the recognition it should!

It’s simply called Log-links and is a feature where you can embed links directly into the Detailed Log View to attain information fast from external sources.

Here are the log-links I am showcasing today:

set deviceconfig system log-link ThreatVault.Src url "https://threatvault.paloaltonetworks.com/?query={src}"
set deviceconfig system log-link ThreatVault.Dst url "https://threatvault.paloaltonetworks.com/?query={dst}"
set deviceconfig system log-link VirusTotal.Src url "https://www.virustotal.com/en/ip-address/{src}/information"
set deviceconfig system log-link VirusTotal.Dst url "https://www.virustotal.com/en/ip-address/{dst}/information"
set deviceconfig system log-link Ping.Src url "https://centralops.net/co/Ping.aspx?addr={src}&count=5&timeout=1000&size=32&ttl=255&ip-version=auto"
set deviceconfig system log-link Ping.Dst url "https://centralops.net/co/Ping.aspx?addr={dst}&count=5&timeout=1000&size=32&ttl=255&ip-version=auto"
set deviceconfig system log-link NSlookup.Src url "https://centralops.net/co/NsLookup.aspx?domain={src}&type=255&server=8.8.8.8&class=1&port=53&timeout=5000"
set deviceconfig system log-link NSlookup.Dst url "https://centralops.net/co/NsLookup.aspx?domain={dst}&type=255&server=8.8.8.8&class=1&port=53&timeout=5000"
set deviceconfig system log-link DomainDossier.Src url "https://centralops.net/co/DomainDossier.aspx?addr={src}&dom_whois=true&dom_dns=true&net_whois=true"
set deviceconfig system log-link DomainDossier.Dst url "https://centralops.net/co/DomainDossier.aspx?addr={dst}&dom_whois=true&dom_dns=true&net_whois=true"

This is just example log-links, and as you can see from the formatting, it’s easy to implement other sites as well. The {src} and {dst} are just pointers to the Source and Destination address in the Logs.

You need to use CLI to get this to work, so simply fire up Putty or any other SSH tool to get started:

Remember that you need to be in “configure” mode to do this. Then simply copy-paste the above paragraph and commit after it is done.

NB: The links show from first to last, so try to add log-links for the same site right after each other to avoid it looking really messy.

After it’s done committing you should see the following in the Detailed Log view(Remember to do a complete refresh of the GUI first.):

You have now a set of handy tools to check the IPs against Palo Alto Networks Threat Vault, VirusTotal, Ping from external destination, NSlookup from external source and Domain information.
When you press a link it will open a new window.

Here is a couple of expamples on how it looks:

 

And this is how it looks in CLI afterward:

It’s only your imagination that sets the limit on this feature, maybe you have internal tools as well you can now leverage directly into the log-links?

Have fun with it.

EDIT: Was a small typo in the first log-link.. this is now fixed. Sorry for everyone that was affected! 🙂

15 thoughts on “Log-links – Easy, fast and usable!

  1. I wasn’t aware of this feature. Very slick!

    Minor edit: In the first “ThreatVault.Src” you’re missing the “?” before the word “query”.

    • Thanks for bringing this to my attention! Fixed now.. sorry for any hassle that created. 🙂
      I agree that the feature is slick, and sadly it’s something that is not really communicated well that we support.

  2. Hi, Glenn!

    Thank you for this useful post! Very useful feature.

    Few comments and questions from my side.

    First link: set deviceconfig system log-link ThreatVault.Src url “https://threatvault.paloaltonetworks.com/query={src}” is missing character “?” in front of “query” – I was stuck with this one and it is first thing probably everyone tries.

    I found PAN KB article regarding log links: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-does-the-Log-Link-Feature-Work/ta-p/52298
    There is certain information defined that can be used with log links. Do you know if there is now also available to use hashes and URLs in log links or is it in roadmap?
    You can query malware from detailed log view from threatvault, but I would like to query hashes and URLs from external sources (Virustotal) also.

    • Thanks for the heads-up! I fixed it now.. sorry! 🙂

      Regarding adding hashes or URLs, this is something I can see as very useful so I will bring it to the right people. Not aware of any roadmap at this moment. I will get back to you on that!

  3. Балясины для лестниц от производителя! https://balyasiny-optom.ru/ Изготовим балясины и ножки для мебели любой формы: точеные, граненые, витые, резные, комбинированные (дерево + металл) из сосны, дуба, бука, ясеня. Токарные станки с ЧПУ, быстрая и качественная обработка. Шлифовка под покраску

  4. Элементы лестниц оптом, кухни на заказ, двери из массива дуба – https://www.ekolestnica.ru На сайте большой выбор изделий из дерева (дуб, бук, ясень, береза, сосна): балясины для лестниц, перила для лестниц, ступени для лестниц, двери из массива дуба, мебельный щит! На рынке более 15 лет, отгружаем товар в любые регионы!

  5. Элементы лестниц оптом, кухни на заказ, двери из массива дуба – https://www.ekolestnica.ru На сайте большой выбор изделий из дерева (дуб, бук, ясень, береза, сосна): балясины для лестниц, перила для лестниц, ступени для лестниц, двери из массива дуба, мебельный щит! На рынке более 15 лет, отгружаем товар в любые регионы!

  6. Моя реклама через Pinterest http://1541.ru дает Заказчикам в Etsy, shopify, amazon заработки от 7000 до 100 000 usd в месяц. Для США это идеал

  7. ZandCell COVID-19 Saliva Antigen Test https://diamont.ee/en/hot Nitrile gloves, FFP 2 Mask. Large wholesale, from a warehouse in Europe. All documents and certificates are available. Sending samples on request. Contract supplies for government and commercial organizations and individuals

  8. Авиабилеты дешево от проверенных авиакомпаний! https://avia-bilet.online/ – купить авиабилеты недорого. Купить авиабилеты дешево, авиабилеты онлайн. Поиск от 728 проверенных авиакомпаний по всему миру! Самые популярные направления перелетов по самым низким ценам в интернете!

Comments are closed.