>
    Strata Copilot
    Configure Syslog Forwarding for Enterprise DLP
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Configure Syslog Forwarding for Enterprise DLP
    Download PDF
    Enterprise DLP

    Configure Syslog Forwarding for Enterprise DLP

    Table of Contents

    Configure Syslog Forwarding for Enterprise DLP

    Configure one or more Log Forwarding profiles to forward Enterprise Data Loss Prevention (E-DLP) incident and audit syslogs to manage and create workflows.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Create a Log Forwarding profile to automatically forward Enterprise Data Loss Prevention (E-DLP) incident and audit syslogs to your third-party security information and event management (SIEM), Security Orchestration, and Response (SOAR), or other automated ticketing systems. This enables your SOC Analysts and Incident admins to effectively triage, review, and resolve data security risks that occur in your organization. You can configure a single Log Forwarding profile for multiple enforcement points or you can create a different Log Forwarding profile for each. You can associate the same enforcement channel with multiple Log Forwarding profiles and use multiple Log Forwarding profiles to forward syslogs to the same SIEM, SOAR, or ticketing system.
    While Enterprise DLP supports multiple Log Forwarding profiles for the same SIEM, SOAR, or ticketing system, an incorrectly configured Log Forwarding profile might cause the SIEM, SOAR, or automated ticketing system to terminate the connection with Enterprise DLP when Enterprise DLP attempts to forward a syslog.
    For example, you configure your SOAR to only accept a public certificate. You then create two Log Forwarding profiles —you configure ProfileA with a private certificate and ProfileB with a public certificate. In this case, your SOAR won't accept the connection from Enterprise DLP using ProfileA because it uses a private cert and the connection either times out or is terminated.
    As a result, this connection time-out or termination also terminates the connection for ProfileB and might result in some syslogs not being forwarded.
    Enterprise DLP forwards DLP incident and audit syslogs over a UDP or TCP port, and requires a persistent connection to your SIEM, SOAR, or ticketing system to forward DLP incident and audit syslogs. Enterprise DLP can only forward DLP incident and audit syslogs while successfully connected to your SIEM, SOAR, or ticketing system. Enterprise DLP automatically continues forwarding your Enterprise DLP incident and audit syslogs to your SIEM, SOAR, or ticketing system you restore after connectivity. However, Enterprise DLP can't forward any syslogs generated while Enterprise DLP and your SIEM, SOAR, or ticketing are disconnected.
    Enterprise DLP sends an email to the admin that originally connected Enterprise DLP to your SIEM, SOAR, or ticketing system using the Log Forwarding profile and to the user who last modified the Log Forwarding profile settings. Enterprise DLP sends this email only one time at the time of disconnect. If you update the SIEM, SOAR, or ticketing system connecting settings and Enterprise DLP again losses connectivity, and then, Enterprise DLP sends another email to notify you of the ongoing connectivity issue.
    Enterprise DLP monitors the connectivity status of each syslog server profile you add and can buffer up to 30 days of syslogs per syslog server profile when it loses connectivity to your third-party SIEM, SOAR, or ticketing system connecting settings. When connectivity is restored, Enterprise DLP automatically begins resending the buffered syslogs. This ensures a complete audit trail and continuous security monitoring. Your data security administrators can also configure an email address to receive immediate alerts about any connection failures or restoration.
    Contact Palo Alto Networks Support if the connection between Enterprise DLP and your third-party SIEM, SOAR, or ticketing system is down for 7 days or more. Palo Alto Networks assistance to forward buffered syslogs is required when connectivity is disrupted for 7 days or more.
    It takes 15 minutes for your syslog forwarding configuration to take effect after you add, edit, or delete a Log Forwarding profile, or when you add a Syslog server profile to a Log Forwarding profile.
    Review the syslog field descriptions provided below for more information on what data is included in syslogs forwarded from Enterprise DLP.
    • Incident LEEF and CEF Syslog Field Descriptions
      Field Name
      Description
      cat
      Event category. Always displays data_security.
      facility
      Numeric code (0- 7) which identifies the source of a log message.
      tenant_id
      Your Enterprise DLP tenant ID.
      incident_id
      		Unique DLP incident identifier. All Enterprise DLP incidents are assigned a unique ID.
      report_id
      Report ID for the DLP incident used to view additional Traffic log details regarding the DLP incident.
      channel
      Enforcement channel where DLP incident was generated. Can be NGFW, Prisma Access, or Endpoint DLP.
      created_at
      Time Enterprise DLP generated the incident.
      Format is YYYY-MM-DD-THH:MM:SSUTC
      file_name
      Name of the file containing sensitive data that generated the Enterprise DLP incident.
      usrName
      Name of the user who generated the Enterprise DLP incident.
      action
      Action configured in the data profile (Panorama), DLP Rule, or Endpoint DLP policy rule. Can be Alert or Block.
      source
      Name or ID of the NGFW or Prisma Access, or endpoint where the installed Prisma Access Agent forwarded traffic to Enterprise DLP that generated the incident.
      app_id
      Destination App-ID for traffic that generated an Enterprise DLP incident.
      app_name
      		Name of the destination app for traffic that generated an Enterprise DLP incident.
      peripheral_id
      Product ID of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.
      peripheral_name
      Name of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.
      peripheral_type
      		Type of Endpoint DLP peripheral device that Enterprise DLP incident. Can be USB, Network Share, or Printer.
      policy_name
      Name of the Endpoint DLP policy rule that generated the Enterprise DLP incident.
      policy_type
      Type of Enterprise DLP policy rule that the traffic containing sensitive data is matched.
      profile_name
      The name of the Enterprise DLPdata profile containing the match criteria that the traffic containing sensitive data matched again.
      url
      The transactional URL against which the user generated the Enterprise DLP incident.
      src
      IP address of the source that generated the Enterprise DLP incident.
      dst
      		IP address of the destination that generated the Enterprise DLP incident.
      sev
      Severity of the Enterprise DLP incident. Can be informational, low, medium, high, or critical.
      snippets_url
      API URL to view the snippet of sensitive data that generated the DLP incident.
      data_pattern_results
      Data pattern containing the sensitive data match criteria that the sensitive data matched against.
      notes
      Note added to the Case Management details of the DLP incident.
      status
      Current Case Management status of the DLP incident. Can be New, Open, Under Investigation, or Closed.
      tag
      Custom tag added to the DLP incident case in the Case Management details.
      priority
      Case priority set in the Case Management details. Can be P1, P2, P3, P4, or P5.
      modified_at
      Date and time the DLP incident Case Management details were last modified.
      asset_size
      Size of the asset that generated the DLP incident.
      source_region
      Geographic region where the traffic source for the DLP incident originated.
      panw_data_profiles
      Contains information about the data profiles that matched the sensitive content. Multiple data profiles are separated by a pipe (|).
      Value is a semi-structured string. Contains nested sub-fields with key-value pairs separated with commas (,) and sub-field values separated with colons (:)
      • name—Name of the data profile that was matched.
      • is_parent—Displays true if a nested or granular data profile. Displays false in all other cases.
      panw_data_patterns
      Contains information about the data pattern that matched the sensitive content. Multiple data patterns are separated by a pipe (|).
      Value is a highly structured string. Contains nested sub-fields with key-value pairs separated with commas (,) and sub-field values separated with colons (:)
      • high_confidence_frequency—Total number of High confidence matches.
      • medium_confidence_frequency—Total number of Medium confidence matches.
      • low_confidence_frequency—Total number of Low confidence matches.
      • total_confidence_frequency—Total number of High, Medium, and Low confidence matches.
    • Audit Log LEEF and CEF Syslog Field Descriptions
      Field Name
      Description
      cat
      Event category. Always displays data_security.
      user_id
      Email of the user that made the Enterprise DLP configuration change that generated the audit log.
      audit_id
      Unique ID of the Enterprise DLP audit log.
      object_id
      Unique ID of the Enterprise DLP configuration object that was created, updated, or deleted.
      event
      		Type of configuration change that occurred that generated the Enterprise DLP audit log. Can be Create, Update, or Delete.
      type
      Type of Enterprise DLP configuration object that was created, updated, or deleted that generated the Enterprise DLP audit log.
      tenant_id
      Your Enterprise DLP tenant ID.
      createdAt
      Time Enterprise DLP generated the audit log.
      Format is YYYY-MM-DD-THH:MM:SSUTC
      changed_from
      		 For a Create event, this field displays null.
      For an Update or Delete event, this field displays the original object configuration before the update or deletion.
      changed_to
      New Enterprise DLP configuration object state.
      For a Delete event, this field displays null.
      For a Create or Update event, this field displays the object configuration after creation or update.
    1. Allow the IP addresses required to forward Enterprise DLP incident and audit log syslogs.
    2. Log in to Strata Cloud Manager.
    3. Select ConfigurationData Loss PreventionSettingsLogging Settings.
    4. Add Log Forwarding Profile.
    5. Enter a descriptive Log Forwarding profile Name.
    6. For the Channel, select one or more enforcement channels to which the log forwarding applies.
      Enterprise DLP forwards all DLP incidents or audit syslogs based on the selected channels.
      For example, you select NGFW and Prisma Access. In this case, Enterprise DLP forwards syslogs for all DLP incidents syslogs generated from traffic originating from any NGFW and Prisma Access tenant associated with your Customer Support Portal account that have an active Enterprise DLP license. However, Enterprise DLP does not forward any Endpoint DLP incidents.
      Select at least one of the following options.
      • Supported Channels
        • Audit Log
        • Email DLP
        • Endpoint DLP
        • NGFW
        • Prisma Access
        • Prisma Browser
        • SaaS API (Data Security)
    7. Add a Filter to forward syslogs based on the region where the user generated the Enterprise DLP incident or audit log.
      Enterprise DLP supports multiple filters. Enterprise DLP only forwards syslogs for Channels configured in the Syslog server profile based on the region where the user generated the DLP incident or audit log.
    8. For the Syslog Server Profile, Create New Profile to define the syslog server connection settings.
      Enterprise DLP does not support deleting or editing a Syslog server profile after creation. Be sure you're confident the configuration is correct before you Save the Syslog server profile and attach it to your Log Forwarding profile.
      Repeat this step to add as many Syslog server profiles as needed.
      1. Enter the Syslog Profile Name.
      2. Enter the Syslog Server IP address or Fully Qualified Domain Name (FQDN) server name.
      3. Select and enter the Syslog Port used for forwarding syslogs.
      4. Select the Syslog Facility for syslogs forwarded from Enterprise DLP.
        The syslog facility is a numeric code that a SIEM, SOAR, or ticketing system uses to identify the source of a log message and to categorize log messages. Enterprise DLP supports Log(0) through Log(7). Enterprise DLP supports one syslog facility per Syslog server profile.
      5. Select the Connection Type to define the protocol used for communicating with your syslog server.
        Enterprise DLP supports UDP and TCP ports.
      6. (Optional) Upload the Server CA certificate used to establish trust between Enterprise DLP and your SIEM, SOAR, or ticketing system during Transport Layer Security (TLS) communication.
        Enterprise DLP currently supports Public server Certificate Authority certificates for UDP connections and Public and Private service CA certificates for TCP connections.
        If you select Private for TCP connections, Browse and upload the syslog server Certificate Authority if required for Enterprise DLP to forward syslogs to your SIEM, SOAR, or ticketing system.
        Enterprise DLP does not support TLS/SSL encryption for UDP.
      7. Select the Log Format to forward to your syslog server. You can select LEEF and CEF.
      8. Enter the Recipient email address for alerts.
        This email receives alerts when Enterprise DLP loses connectivity to your SIEM, SOAR, or ticketing system or if Enterprise DLP fails to forward a syslog.
        Enterprise DLP sends an alert to this email when it successfully reconnects to your SIEM, SOAR, or ticketing system.
      9. Click Test Connection to verify you configured your Syslog server profile correctly by confirming Enterprise DLP can successfully communicate with your SIEM, SOAR, or ticketing system.
        Continue if Enterprise DLP returns Connection Successful.
        If Enterprise DLP returns Connection Failed. Enterprise DLP can't connect to your SIEM, SOAR, or ticketing system because you configured the Syslog Server or Syslog Port incorrectly, or you uploaded an invalid private Service CA certificate.
      10. Save the Syslog server profile.
    9. Enable the Log Forwarding profile.
    10. Save.
    11. Configure Enterprise DLP.

    © 2026 Palo Alto Networks, Inc. All rights reserved.