Forward Logs from the Logging Service to a Syslog Server

Learn how to use the Log Forwarding app to forward logs from the Logging Service to a Syslog server.
To meet your long term storage, reporting and monitoring, or legal and compliance needs, you can configure the Log Forwarding app to forward all logs or a subset of logs to a Syslog receiver. The Log Forwarding app uses the IETF Syslog message format defined in RFC 5425 to forward logs. For each instance of the Logging Service, you can one deploy an instance of the Log Forwarding app and forward logs to ten Syslog destinations.
lf-overview.png
The communication between the Log Forwarding app and the Syslog destination uses Syslog over TLS, and upon connection the Log Forwarding app validates that the Syslog receiver has a certificate signed by a trusted root CA. To complete the SSL handshake and establish the connection, the Syslog reciever must present all the certificates in the chain of trust.
The Log Forwarding app does not support self-signed certificates.
  1. Enable communication between the Log Forwarding app and your Syslog receiver. 
    Ensure that your Syslog receiver can connect to the Log Forwarding app and can present a valid CA certificate to complete the connection request.
    • Allow an inbound TLS feed to your Syslog receiver from the following IP address ranges:
      • US: 65.154.226.0/24
      • EU: 154.59.126.0/24
    • Obtain a certificate from a well known, public CA  and install it on your Syslog receiver.
      Because the Log Forwarding app validates the server certificate to establish a connection, you must verify that the Syslog receiver is configured to properly send the SSL certificate chain to the Log Forwarding app. If the app cannot verify that the certificate of the receiver and all CA's in the chain are trustworthy, the connection cannot be established. See List of Trusted Certificates for the Log Forwarding App.
  2. Sign In to the Cloud Services Portal at https://apps.paloaltonetworks.com/.
  3. Select the Log Forwarding app instance that you want to configure for Syslog forwarding.
    If you have multiple Logging Forwarding app instances, hover over the Log Forwarding tile and then select an instance from the list of available instances.
  4. Select SyslogAdd to add a new Syslog Forwarding profile.
    configure-syslog-forwarding.png
  5. Enter a descriptive Name for the profile.
  6. Enter the Syslog Server IPv4 address or FQDN.
  7. Enter the Port on which the Syslog server is listening.
    The default port for Syslog messages over TLS is 6514.
  8. Select the Facility.
    Choose one of the Syslog standard values. The value maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424 (IETF format).
  9. To receive a Status Notification when the Log Forwarding app is unable to connect to the Syslog server, enter the email address at which you’d like to receive the notification.
    These notifications describe the error impacting communication between the Log Forwarding app and the Syslog server, so that you can take the appropriate steps to restore Syslog connectivity.
    Step 12 in this workflow gives you the option to enable the Log Forwarding app to default to email forwarding if it is unable to connect to any Syslog servers.
  10. Select the logs you want to forward.
    You can specify the log vendor, log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you.
    1. Add to select the Log Vendor.
      The log vendors are the sources that generated the logs, such as Firewall or Traps.
    2. Select the Log Type.
      You can only select one log subtype at a time.
    3. (Optional) Use the Filter to forward only the logs that are most critical to you.
      For each log type, you can set the Filter to your custom needs or use the predefined options.
      gpcs-syslog-profile.png
      With the Predefined filter, you can opt to Send GlobalProtect Cloud Service firewall logs only. Use this option if you are using the GlobalProtect cloud service to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.
      For details on the filtering options, refer to the Syslog field descriptions in the PAN-OS 8.1 and the Traps management service.
    4. Save your changes.
    5. Add other log types that you’d like to forward.
  11. Save your changes.
  12. Decide if you want to Continue forwarding logs via email if syslog forwarding is unavailable.
    The Log Forwarding app prioritizes Syslog forwarding. Therefore, even when you have configured email forwarding profile(s), when it is unable to establish a connection to a Syslog server that you have defined, it completely stops forwarding logs and queues the logs. When you select this option, the Log Forwarding app continues with email forwarding when it is unable to connect to any Syslog servers defined in your profiles instead of queueing them up so that you receive notifications at an external destination. And when Syslog connectivity is restored, the app resumes forwarding new logs stored to the Logging Service.
    To ensure that you do not lose logs, make sure to set up email log forwarding before you enable this option. See Forward Logs from the Logging Service to an Email Server.
  13. Verify that the Log Forwarding app instance reports Status as Running ( healthy.PNG ).
    If you need to stop forwarding logs, select Settings ( gear_icon.PNG ) on the Cloud Services Portal, hover over the app instance and click Stop. This allows you to temporarily suspend log forwarding, but your configuration is retained and you can Resume log forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
    stop-lf.png
  14. Verify that you can view logs on the Syslog receiver.
    For detailed information about the log format, refer to the Syslog field descriptions:
    • Regardless of whether the firewalls are running PAN-OS 8.0 or 8.1, the log format on the Syslog receiver matches the PAN-OS 8.1 format.

Related Documentation