How to Forward Firewall Logs from Panorama through Syslog

PAN-OS 6.0, 6.1, 7.0

Overview

This document is for customers who use Panorama for log collection and want to forward logs to a third-party Syslog Server or SIEM system from Panorama. The alternative is to forward logs via syslog from each firewall individually.

This scenario assumes logging has have been configured on the firewalls to forward to Panorama and Panorama is receiving the traffic, threat, and system logs as configured. If the firewalls have not been configured to forward logs to Panorama, please refer to the following document: How to Create a Profile to Forward Logs to Panorama

Steps

1. To create a Syslog Server Profile, go to Panorama > Server Profiles > Syslog and click Add:
   
2. Assign the Syslog Server Profile:
   • For Panorama running as a virtual machine, assign the Syslog Server Profile to the various log types through Panorama > Log Settings > Traffic > Device Log Settings - Traffic > Syslog.
     Each log type can be configured individually as shown below. After defining Syslog Server Profiles, designate the corresponding log types.
     
   • For an M-100, assign the Syslog Server Profile to the various log types through Panorama > Collector Groups > Collector Group > Collector Log Forwarding > Traffic > Syslog.
     

           Optionally, multiple collectors can be added under "Collector Group Members". 

           By default, the local Log Collector on the primary Panorama is pre-assigned to the default Collector Group

3. Perform a "Panorama" commit followed by a "Log collector" commit.

NOTE: On current version of PAN-OS PA-7000 series devices do not forward logs to Panorama, these devices would need to be configured to send syslog via their Log interface. 

owner: dbraswell