How To Setup Syslog Monitoring Over TLS
54841
Created On 01/14/21 17:27 PM - Last Modified 03/21/22 23:16 PM
Objective
This article walks through on how to set up a Syslog monitoring profile over TLS.
When Syslog over TLS is enabled, the firewall serves as the client, the process requires a trusted Root CA to sign the client and the server certificate.
The Syslog server uses the certificate to verify that the firewall is authorized to communicate with the Syslog server.
The Syslog server and the sending firewall must have certificates that the same trusted certificate authority (CA) signed.
Alternatively, you can generate a self-signed certificate on the firewall, export the certificate from the firewall, and import it into the Syslog server.
Environment
- PAN-OS
- Firewall
- Panorama
- Syslog servers
Procedure
Generate a client certificate
- On the firewall, generate a certificate to be used for client authentication. Note that the CN for this certificate must match the IP address of the firewall's interface set for Syslog connectivity.
- Once the certificate is generated, click on the certificate name to open the properties.
- Check the "Certificate for Secure Syslog" option on the certificate. This will mark the certificate to be used for SSL handshake.
- Click OK.
Create the Syslog profile
- Go to Device> Server Profile> Syslog
- Click add
- Specify a name for the profile
- Under the Syslog server, enter the FQDN/IP address of the Syslog server.
- For the transport field, select SSL. The port number is automatically populated (Default port is 6514)
- Select the format and facility as required.
- Click Ok
Generate the Syslog certificate
If you are using a self-sign certificate, Generate a server certificate signed by the same root CA as the client certificate,
- Go to Device> Certificate
- Click Generate.
- Specify a name for the certificate.
- For the common name, specify the same FQDN/IP address used in the Syslog profile.
- Specify other attributes as required.
- Click generate.
- Export this certificate with the private key and import it to the Syslog server.
- Commit your changes
Additional Information
Monitor the system log for a successful connection or for any errors.
Note: On the Syslog server, set the custom certificate to be used for Syslog SSL authentication.
For more details, visit Configure Syslog monitoring.