# Collect data from Palo Alto NGFW

{% hint style="info" %}
See the changelog of the **Syslog** Listener [here](https://app.gitbook.com/s/1OZWDcmMPrhfCtF1rMJP/syslog-listener).
{% endhint %}

## Overview

The following article outlines a basic data flow from your **Palo Alto Next-Generation Firewall (NGFW)** to the Onum **Syslog** Listener.

## Prerequisites

If you're using TLS authentication, [contact Onum](https://app.gitbook.com/s/cSjT21I4EUhzghjc1rER/) to get the cert information needed for TLS communication.

## Palo Alto NGFW Setup

Simply enter the required Onum sending address in your firewall configuration.

{% hint style="info" %}
Please note that the form may look different if you are using this Listener in a cloud environment. For more information on this, see the main article on [Collecting data using Syslog](https://docs.onum.com/the-workspace/listeners/listener-integrations/collect-data-using-syslog). The steps will be the same, just make sure to enter the Onum URL in the Palo Alto configuration.
{% endhint %}

## Onum Setup

{% stepper %}
{% step %}
Log in to your Onum tenant and click **Listeners > New listener**.
{% endstep %}

{% step %}
Double-click the **Syslog** Listener.
{% endstep %}

{% step %}
Enter a **Name** for the new Listener. Optionally, add a **Description** and some **Tags** to identify the Listener.
{% endstep %}

{% step %}
Enter the required **Port** and **Protocol** (**TCP** or **UDP**). For cloud-based Onum installations, the **Socket** and **Protocol** sections are not visible (**port** `443` and **Protocol** `TCP` are used by default). If you see it, enter the required port in the **Port** field.&#x20;

{% hint style="warning" %}
Note that by default, available TCP ports are 1024 to 10000.
{% endhint %}

While UDP 514 is the standard, some implementations may use TCP 514 or other ports, depending on specific configurations or security requirements. To determine the syslog port value, check the configuration settings of your syslog server or consult the documentation for your specific device or application.
{% endstep %}

{% step %}
Choose the required **Framing Method**, which refers to how characters are handled in log messages sent via the Syslog protocol. Choose between:

* **Auto-Detect** - automatically detect the framing method using the information provided.
* **Non-Transparent Framing (newline)** - the **newline characters** `(\n)` within a log message are **preserved as part of the message content** and are not treated as delimiters or boundaries between separate messages.
* **Non-Transparent Framing (zero)** - refers to the way **zero-byte** characters are handled. Any **null byte** (`\0`) characters that appear within the message body are **preserved as part of the message and** are not treated as delimiters or boundaries between separate messages.
* **Non-Transparent Framing (custom)** - choose this option if you need to use vendor-specific or custom approaches to frame syslog messages rather than the standard framing methods. You must enter the specific character(s) that will mark the end of each syslog message in the **Custom trailer characters parameter** that appears.
* **Octet Counting (message length)** - the Syslog message is preceded by a count of the length of the message in octets (bytes).
  {% endstep %}

{% step %}
In cloud-based Onum installations, the **TLS** configuration section is not visible. In these setups, Onum automatically manages **TLS** certificates, eliminating the need for manual configuration.&#x20;

If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain.** Learn how to generate these self-signed certificates in [this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). Once you have them, click **New secret** in each field and add the corresponding values.

**Now there are two possible scenarios:**

If you didn't enter your **TLS** certificates, when you click **Create listener** you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. Here you will download the certificate (see the[ steps after creation to do this](#download-certificate)).

{% hint style="info" %}
You can access all this information in the Listener details after creation, so don't worry.
{% endhint %}

If you entered the TLS certificates, you'll go directly to the Labels when you eventually click **create Listener**.
{% endstep %}

{% step %}
The TLS credentials are saved in Onum as Secrets. In the TLS form, click **New secret** to create a new one:

* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value.**
* Click **Save**.

<figure><picture><source srcset="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FlUo7CuVpPgIVm5VNjLw6%2Fnenenew.png?alt=media&#x26;token=eb7a7231-0ac2-4099-93f9-18f9ead5add1" media="(prefers-color-scheme: dark)"><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FTSD53FxGQOjijA3W3DhE%2Fimage.png?alt=media&#x26;token=9941a3c0-100a-4759-b603-30079fbc90de" alt=""></picture><figcaption></figcaption></figure>

{% hint style="info" %}
Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management).
{% endhint %}

You can now select the secret you just created in the corresponding fields.
{% endstep %}

{% step %}
Finally, click **Create labels**. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as **Unlabeled**. Click **Create listener** when you're done.

{% hint style="info" %}
Learn more about labels in [this article](https://docs.onum.com/the-workspace/listeners/labels).
{% endhint %}
{% endstep %}
{% endstepper %}

Click **Create listener** when you're done.