Threat logs are visible on the GUI but not forwarded to the Syslog Server
8378
Created On 05/24/21 07:59 AM - Last Modified 02/28/23 21:11 PM
Symptom
- Security Policy configured with Security Profile
- Threat events are showing under Threat Logs
- Same events/logs are not forwarded to the configured Syslog server
Environment
- Palo Alto Firewalls.
- PAN-OS 9.0 and higher.
- Security profiles configured.
Cause
- Not all threat logs are generated by traffic matching security policies (And their corresponding security profiles).
- Example: The "scan" logs are generated by the configured zone protection profile .
Resolution
To ensure that all the threat logs are forwarded, the following settings must be configured:
- A log forwarding profile to forward the threat logs that are generated by traffic matching the security policies, which is configured under GUI: Objects > Log Forwarding
- Reference the same log forwarding profile under the network zones that are configured with zone protection profiles, which is configured under GUI: Network > Zones > (ZoneName) > Log Setting
- Commit the changes. All threat logs will now be forwarded.