Search code examples
pythonrequest

Python receive txt/xml logs from Palo Alto HTTP

I have a flask application that should receive txt/xml logs from a Palo Alto Firewall. How can I receive the traffic logs?

My Python Script: main.py

import flask
from flask import request

# For development!
app = flask.Flask(__name__)


@app.route('/', methods=['GET', 'POST'])
def __index():
    
    # Request as TEXT/XML
    xml_data = None
    try:
        xml_data = request.form
        print(f"requests.xml_data={xml_data}")
    except Exception as e:
        print(f"Error #2 Could not get request.form data: {e}")

    if xml_data is None:
        raise Exception(f"Error #3 Could not get json data because missing xml_data as post")

    # Flattern
    xml_data_flattern = xml_data.to_dict(flat=True)

    # Log JSON data
    print(f"xml_data={xml_data}")
    print(f"xml_data_flattern={xml_data_flattern}")
    # Finish program
    return {"message": "Finished", "data": ""}


if __name__ == '__main__':
    app.run(debug=False, host="0.0.0.0", port=8080)

Palo Alto:

This is the Device->HTTP->HTTP Server Profile->Servers:

enter image description here

  • Name: MyServer
  • Address: myserver.runn.app
  • Protocol: HTTPS
  • Port: 443
  • TLS Version: 1.2
  • Certificate profile: None
  • HTTP Method: POST
  • Username: admin
  • Pasword: admin

This is the Device->HTTP->HTTP Server Profile->Payload Format for Traffic:

enter image description here

  • Name: Traffic-Payload
  • HTTP Headers: content-type text/xml
  • Payload: <request><entry><short_description> $type</short_description></entry></request>
Solution

  • From what I gather from your code it seems that you want to read text/xml from the Flask request instead of json.

    According to Flask Docs you can retrive raw data/text by using the function get_data().

    In your code you would write xml_data = request.get_data(). You might also want to include the asText = True parameter. It makes the return value a decoded unicode string.

    xml_data = request.get_data(asText = True)

    Please note this warning from the documentation, and please do evaluate if this is relevant to your integrations:

    Usually it’s a bad idea to call this method without checking the content length first as a client could send dozens of megabytes or more to cause memory problems on the server.