Configure Syslog Monitoring
Focus
Focus
Next-Generation Firewall

Configure Syslog Monitoring

Table of Contents

Configure Syslog Monitoring

Where Can I Use This?What Do I Need?
  • NGFW
For Strata Cloud Manager managed NGFWs:
  • Strata Cloud Manager Pro
To Use Syslog for Monitoring a Palo Alto Networks firewall, create a Syslog server profile and assign it to the log settings for each log type. Optionally, you can configure the header format used in syslog messages and enable client authentication for syslog over TLSv1.2.
For CEF-formated syslog events collection, you must edit the default syslog configuration. The default syslog monitoring configuration is not supported for CEF syslog events collection.

Configure Syslog Monitoring (PAN-OS)

Configure syslog monitoring in PAN-OS.
  1. Configure a Syslog server profile.
    You can use separate profiles to send syslogs for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile.
    1. Select DeviceServer ProfilesSyslog.
    2. Click Add and enter a Name for the profile.
    3. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
    4. For each syslog server, click Add and enter the information that the firewall requires to connect to it:
      • Name—Unique name for the server profile.
      • Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server.
        If you configure an FQDN and use UDP transport, if the firewall cannot resolve the FQDN, the firewall uses the existing IP address resolution for the FQDN as the Syslog Server address.
      • Transport—Select TCP, UDP, or SSL (TLS) as the protocol for communicating with the syslog server. For SSL, the firewall supports only TLSv1.2.
      • Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
      • Format—Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL/TLS.
      • Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
    5. (Optional) To customize the format of the syslog messages that the firewall sends, select the Custom Log Format tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
    6. Click OK to save the server profile.
  2. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs.
    1. Configure the firewall to forward logs. For more information, see Step Create a Log Forwarding profile.
      1. Select ObjectsLog Forwarding, click Add, and enter a Name to identify the profile.
      2. For each log type and each severity level or WildFire verdict, select the Syslog server profile and click OK.
    2. Assign the log forwarding profile to a security policy to trigger log generation and forwarding. For more information, See Step Assign the Log Forwarding profile to policy rules and network zones.
      1. Select PoliciesSecurity and select a policy rule.
      2. Select the Actions tab and select the Log Forwarding profile you created.
      3. For Traffic logs, select one or both of the Log at Session Start and Log At Session End check boxes, and click OK.
      For detailed information about configuring a log forwarding profile and assigning the profile to a policy rule, see configure-log-forwarding.html#tabs-id1443a62b-8a0b-41db-a08d-5df934bf0ffc_id1443a62b-8a0b-41db-a08d-5df934bf0ffc.
  3. Create a certificate to secure syslog communication over TLSv1.2.
    Required only if the syslog server uses client authentication. The syslog server uses the certificate to verify that the firewall is authorized to communicate with the syslog server.
    Ensure the following conditions are met:
    • The private key must be available on the sending firewall; the keys can’t reside on a Hardware Security Module (HSM).
    • The subject and the issuer for the certificate must not be identical.
    • The syslog server and the sending firewall must have certificates that the same trusted certificate authority (CA) signed. Alternatively, you can generate a self-signed certificate on the firewall, export the certificate from the firewall, and import it in to the syslog server.
    • The connection to a Syslog server over TLS is validated using the Online Certificate Status Protocol (OCSP) or using Certificate Revocation Lists (CRL) so long as each certificate in the trust chain specifies one or both of these extensions. However, you cannot bypass OCSP or CRL failures so you must ensure that the certificate chain is valid and that you can verify each certificate using OCSP or CRL.
    1. Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later). Select Generate.
    2. Enter a Name for the certificate.
    3. In the Common Name field, enter the IP address of the firewall sending logs to the syslog server.
    4. In Signed by, select the trusted CA or the self-signed CA that the syslog server and the sending firewall both trust.
      The certificate can’t be a Certificate Authority nor an External Authority (certificate signing request [CSR]).
    5. Click Generate. The firewall generates the certificate and key pair.
    6. Click the certificate Name to edit it, select the Certificate for Secure Syslog check box, and click OK.
  4. (Optional) Configure the firewall to terminate the connection to the syslog server upon FQDN refresh.
    When you configure a syslog server profile using a FQDN, the firewall maintains its connection to the syslog server by default in the event of an FQDN name change.
    For example, you have replaced an existing syslog server with a new syslog server that uses a different FQDN name. If you want the firewall to connect to the new syslog server using a new FQDN name, you can configure the firewall to automatically terminate its connection to the old syslog server and establish a connection to the new syslog server using the new FQDN name.
    1. Configure the firewall to terminate the connection to the syslog server upon FQDN refresh.
      admin> set syslogng fqdn-refresh yes

Configure Syslog Monitoring (SCM)

Configure syslog monitoring for Strata Cloud Manager.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationNGFW and Prisma AccessObjectsLog ForwardingSyslog Server ProfileConfigurationNGFW and Prisma AccessObjectsLog ForwardingSyslog Server Profile and select the Configuration Scope where you want to create the Syslog server profile.
    You can select a folder or firewall from your Folders or select Snippets to configure the Syslog server profile in a snippet.
  3. Add Syslog.
  4. Configure the Syslog server profile.
    1. Enter a descriptive Name.
    2. Add a syslog server.
      Multiple syslog servers might be added to a single Syslog server profile.
      • Name—Unique name for the syslog server.
      • Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server.
        If you configure an FQDN and use UDP transport, if the firewall can’t resolve the FQDN, the firewall uses the existing IP address resolution for the FQDN as the Syslog Server address.
      • Transport—Select TCP or UDP as the protocol for communicating with the syslog server.
      • Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
      • Format—Select the syslog message format to use: BSD (default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP.
      • Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
    3. (Optional) Create a custom log/event format.
      To customize the format of the syslog messages the firewall sends, select the Custom Log Format tab.
    4. Save.
  5. Configure syslog forwarding.
    1. Select ManageConfigurationObjectsLog ForwardingLog Forwarding ProfileConfigurationNGFW and Prisma AccessObjectsLog ForwardingLog Forwarding Profile and select the Configuration Scope where you want to create the Log Forwarding profile.
      You can select a folder or firewall from your Folders or select Snippets to configure the Log Forwarding profile in a snippet.
    2. Add Log Forwarding Profile.
    3. Enter a descriptive Name.
    4. Add the profile match list for the Log Forwarding profile.
      A match list profile specifies the log query filter, forwarding destinations, and automatic actions to take. Multiple profile match lists can be added to the same Log Forwarding profile to allow you to add different profile match lists for different log types in the same Log Forwarding profile.
      1. Enter a descriptive Name.
      2. Select the Log Type.
        Only one log type can be added per profile match list.
      3. (Optional) Configure the log query Filter. Default is All Logs.
      4. Add the Syslog Profile you created in the previous step.
      5. Save.
      6. Repeat this step for all the log types that you want to forward to your syslog server.
    5. Save.
  6. Modify the log forwarding settings for the policy rule.
    • Security Policy—In the Actions, select Log Settings and select the Log Forwarding profile you created for External Log Forwarding.
    • Decryption—In the Log Settings, select the Log Forwarding profile you created for External Log Forwarding.
    • DoS Protection—Expand the Advanced Settings and select the Log Forwarding profile you created for Log Forwarding.
    • Authentication—In the Log Settings and select the Log Forwarding profile that you created for Log Forwarding.
  7. Push Config to push your configuration changes.