Forward Logs from the Logging Service to a Syslog Server
Learn how to use the Log Forwarding app to forward logs from the Logging Service to a Syslog server.
To meet your long term storage, reporting and monitoring, or legal and compliance needs, you can configure the Log Forwarding app to forward all logs or a subset of logs to a Syslog receiver. The Log Forwarding app uses the IETF Syslog message format defined in RFC 5425 to forward logs. For each instance of the Logging Service, you can one deploy an instance of the Log Forwarding app and forward logs to ten Syslog destinations.
The communication between the Log Forwarding app and the Syslog destination uses Syslog over TLS, and upon connection the Log Forwarding app validates that the Syslog receiver has a certificate signed by a trusted root CA. To complete the SSL handshake and establish the connection, the Syslog reciever must present all the certificates in the chain of trust.
The Log Forwarding app does not support self-signed certificates.
- Enable communication between the Log Forwarding
app and your Syslog receiver. Ensure that your Syslog receiver can connect to the Log Forwarding app and can present a valid CA certificate to complete the connection request.
- Allow an inbound TLS feed to your Syslog receiver from the following IP address ranges:
- US: 18.104.22.168/24
- EU: 22.214.171.124/24
- Obtain a certificate from a well known, public CA and install it on your Syslog receiver.Because the Log Forwarding app validates the server certificate to establish a connection, you must verify that the Syslog receiver is configured to properly send the SSL certificate chain to the Log Forwarding app. If the app cannot verify that the certificate of the receiver and all CA's in the chain are trustworthy, the connection cannot be established. See List of Trusted Certificates for the Log Forwarding App.
- Sign In to the Cloud Services Portal at https://apps.paloaltonetworks.com/.
- Select the Log Forwarding app instance that you want
to configure for Syslog forwarding.If you have multiple Logging Forwarding app instances, hover over the Log Forwarding tile and then select an instance from the list of available instances.
- Select SyslogAdd to add a new Syslog Forwarding profile.
- Enter a descriptive Name for the profile.
- Enter the Syslog Server IPv4 address or FQDN.
- Enter the Port on which the Syslog
server is listening.The default port for Syslog messages over TLS is 6514.
- Select the Facility.Choose one of the Syslog standard values. The value maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424 (IETF format).
- To receive a Status Notification when
the Log Forwarding app is unable to connect to the Syslog server,
enter the email address at which you’d like to receive the notification.These notifications describe the error impacting communication between the Log Forwarding app and the Syslog server, so that you can take the appropriate steps to restore Syslog connectivity.Step 12 in this workflow gives you the option to enable the Log Forwarding app to default to email forwarding if it is unable to connect to any Syslog servers.
- Select the logs you want to forward.You can specify the log vendor, log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you.
- Add to select the Log Vendor.The log vendors are the sources that generated the logs, such as Firewall or Traps.
- Select the Log Type.You can only select one log subtype at a time.
- (Optional) Use the Filter to forward only the logs that are most critical to you.For each log type, you can set the Filter to your custom needs or use the predefined options.With the Predefined filter, you can opt to Send GlobalProtect Cloud Service firewall logs only. Use this option if you are using the GlobalProtect cloud service to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.
- Save your changes.
- Add other log types that you’d like to forward.
- Save your changes.
if you want to Continue forwarding logs via email if
syslog forwarding is unavailable.The Log Forwarding app prioritizes Syslog forwarding. Therefore, even when you have configured email forwarding profile(s), when it is unable to establish a connection to a Syslog server that you have defined, it completely stops forwarding logs and queues the logs. When you select this option, the Log Forwarding app continues with email forwarding when it is unable to connect to any Syslog servers defined in your profiles instead of queueing them up so that you receive notifications at an external destination. And when Syslog connectivity is restored, the app resumes forwarding new logs stored to the Logging Service.
- Verify that the Log Forwarding app instance reports Status
as Running (
).If you need to stop forwarding logs, select Settings ( ) on the Cloud Services Portal, hover over the app instance and click Stop. This allows you to temporarily suspend log forwarding, but your configuration is retained and you can Resume log forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
- Verify that you can view logs on the Syslog receiver.
Forward Logs from the Logging Service to an Email Server
Learn how to use the Log Forwarding app to forward logs from the Logging Service to an email server. ...
Get Started with the Log Forwarding App
Get started with the Palo Alto Networks Log Forwarding app and begin forwarding logs from the Logging Service to a Syslog server. ...
Configure Log Forwarding
Configure Log Forwarding of Traps Logs You can configure log forwarding to forward logs using Syslog to a SIEM for long term storage, SOC, or ...
Known Issues in Log Forwarding App
This document details the known issues in the current release of the Palo Alto Networks Log Forwarding app. ...
Add Log Forwarding App Instance
Create an instance of the Log Forwarding app to send logs from the Logging Service to an external destination. ...
Forward Traps Logs
Forward Traps Logs The Traps logs stored on the Cortex Data Lake are available using Traps management service and the Cortex Platform. The Log Forwarding ...
Features Introduced in the Log Forwarding App
Stay updated on what’s new in the Log forwarding app. ...
About the Log Forwarding App
Learn about the Palo Alto Networks Log Forwarding app and where to find more information. ...