How to Forward Custom URL Logs to a Syslog Server

How to Forward Custom URL Logs to a Syslog Server

36907
Created On 09/25/18 19:38 PM - Last Modified 06/08/23 02:58 AM


Resolution


Details

In order to forward URL logs, it is necessary to forward Threat logs of Severity 'informational' to the Syslog server. Doing so will forward other informational threat logs (Data Filtering) in addition to URL logs.

 

Please refer to the following document for more information on how to configure URL log forwarding to Syslog: How to Forward Threat Logs to Syslog Server

 

By default, when threat logs are forwarded to Syslog server, the logs will have all several fields including source IP, destination IP and many others including the URL.

 

To create a custom syslog format to include the URLs in the logs, include the "$misc" field, as shown below to get the URLs in the syslogs.

 

Capture.PNG

Capture1.PNG

In the above example, $category==Cateogry of the URL, $misc== URL,$src==Source IP are selected and the syslog looks like this:

Capture2.PNG

 

URL Filtering and Data Filtering use the 'Informational' severity for threats.

 

Configure forwarding settings here. This setting allows forwarding not only to syslog, but also covers forwarding for Panorama, SNMP Trap, or Email.

 

The following example configures forwarding of the email alerts:

 

Screen Shot 2014-06-16 at 4.18.52 PM copy.jpg

 

owner: sdurga



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb9CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language