Palo Alto Networks Knowledgebase: How to Forward Threat Logs to Syslog Server

How to Forward Threat Logs to Syslog Server

2275
Created On 09/25/18 17:27 PM - Last Updated 09/25/18 23:10 PM
Threat Intelligence Threat Prevention
Resolution

Forwarding threat logs to a syslog server requires three steps

  1. Create a syslog server profile
  2. Configure the log-forwarding profile to select the threat logs to be forwarded to syslog server
  3. Use the log forwarding profile in the security rules
  4. Commit the changes

 

Note: Informational threat logs also include URL, Data Filtering and WildFire logs.

 

Syslog server profile

Go to Device > Server Profiles > Syslog

  • Name: Name of the syslog server
  • Server : Server IP address where the logs will be forwarded to
  • Port: Default port 514
  • Facility: To be elected from the drop down according to the requirements

syslog server.png

 

Log forwarding profile

Go to Objects > Log forwarding

Create the syslog server profile for forwarding threat logs to the configured server.

log forwarding profile.pngAdd a Log Forwarding Match List to the profile

filter builder.pngadd the syslog server and select a desired (if any) filterfilter builder 2.pngUse the filter builder to add more filtering parameters for logs to be forwarded

 

Once configured, the log forwarding should look like the following

profile list.png

 

Security Rule

Go to Policies > Security Rule

Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.

Go to Actions > Log forwarding and select the log forwarding profile from drop down list.

logforwarding security.png

 

Commit the configuration

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFfCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language