Paloalto Prisma

LogZilla App Store application: Paloalto Prisma

Prisma SD-WAN

Overview

The Prisma SD-WAN app processes events, alerts, authentication logs, and network flow data from Palo Alto Prisma SD-WAN (formerly CloudGenix). Events are collected via the Prisma SD-WAN API and forwarded to LogZilla using the HTTP Event Receiver.

Architecture

Events flow through the following pipeline:

  1. Prisma SD-WAN API - Source of events, alerts, and audit logs
  2. API Gateway Script - Polls the API and forwards events to LogZilla
  3. LogZilla HTTP Receiver - Receives events at /incoming endpoint
  4. Lua Parser Rules - Extracts tags, filters unwanted fields, preserves original messages
  5. Dashboards - Visualizes events, VPN status, and network flows

Prerequisites

LogZilla Requirements

  • LogZilla v6.38 or higher
  • HTTP Event Receiver enabled
  • Ingest token configured (see LogZilla docs)

Prisma SD-WAN Requirements

  • Prisma SD-WAN Controller access
  • API authentication token
  • Network connectivity from API Gateway to LogZilla

Installation

1. Install this app in the LogZilla UI

2. Configure API Gateway

This app requires an API Gateway to poll the Prisma SD-WAN API and forward events to LogZilla's HTTP Event Receiver. The gateway must send events in JSON format to the LogZilla /incoming endpoint with the following requirements:

Gateway Requirements:

  • Poll Prisma SD-WAN API for events, alerts, and audit logs
  • Send events to LogZilla HTTP endpoint (/incoming)
  • Include ingest token for authentication
  • Format events as JSON with proper structure

Event Format Expected:

Events must be sent as JSON to LogZilla with these fields:

  • host - Device or site identifier
  • program - Event type (auto-detected by rules)
  • message - Full event data (preserved for UI display)
  • priority - Syslog priority value
  • user_tags - Event metadata as key-value pairs

Contact LogZilla support for gateway deployment assistance.

3. Verify Events

Check the LogZilla UI's Prisma Event dashboard for events.

Event Types

The app processes three types of Prisma SD-WAN data:

Event Logs

System events and alarms from Prisma SD-WAN infrastructure.

Example:

json
{
  "type": "alarm",
  "code": "DEVICEHW_INTERFACE_DOWN",
  "status": "raised",
  "severity": "major",
  "site": "DUBLIN-Branch-GW",
  "element_id": "1744132048002008845",
  "correlation_id": "J5PyRh7W"
}

Extracted Tags:

  • Prisma Site
  • Prisma Alert Code
  • Prisma Status
  • Prisma Priority
  • Prisma Reason
  • Prisma Extended State
  • Prisma Name
  • Prisma Circuit Labels
  • Prisma Process Name
  • Prisma Event Type
  • Prisma Cleared
  • Prisma Peer IP
  • Prisma Remote IP
  • Prisma Remote Hostname
  • Prisma Interface ID
  • Prisma Parent Interface
  • Prisma VPN Reasons Code (indexed: Code, Code 2, Code 3, Code 4, Code 5)
  • Prisma VPN Reasons Element ID (indexed: Element ID, Element ID 2-5)
  • Prisma VPN Reasons Site ID (indexed: Site ID, Site ID 2-5)
  • Prisma VPN Reasons VEP ID (indexed: VEP ID, VEP ID 2-5)
  • Prisma VPN Reasons VPNLink ID (indexed: VPNLink ID, VPNLink ID 2-5)

Authentication Logs

User login, logout, and authentication events.

Example:

json
{
  "type": "audit",
  "code": "AUTH_LOGIN_SUCCESS",
  "user": "[email protected]",
  "severity": "info"
}

Extracted Tags:

  • Prisma Username
  • Prisma Auth Action

Flow Logs

Network flow data including source/destination IPs, ports, and applications.

Example (CSV format):

text
2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,15,23,1024,2048,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1

Extracted Tags:

  • SrcIP / DstIP
  • SrcPort / DstPort
  • Prisma Protocol
  • Prisma Application Name
  • Prisma Flow Event
  • Prisma Flow Direction
  • Prisma Source Interface
  • Prisma Destination Interface
  • Prisma Path ID
  • Prisma ZBFW Rules
Paloalto Prisma | LogZilla Documentation