Configure Syslog Forwarding for Enterprise DLP
Focus
Focus
Enterprise DLP

Configure Syslog Forwarding for Enterprise DLP

Table of Contents

Configure Syslog Forwarding for Enterprise DLP

Configure Log Forwarding profiles to forward Enterprise Data Loss Prevention (E-DLP) incident and audit syslogs to your SIEM, SOAR, or ticketing system.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Prisma Browser
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Create a Log Forwarding profile to automatically forward Enterprise Data Loss Prevention (E-DLP) incident and audit syslogs to your third-party security information and event management (SIEM), security orchestration, automation, and response (SOAR), or other automated ticketing systems. This enables your SOC analysts and incident admins to effectively triage, review, and resolve data security risks in your organization. You can configure a single Log Forwarding profile for multiple enforcement points or create a different Log Forwarding profile for each. You can associate the same enforcement channel with multiple Log Forwarding profiles and use multiple Log Forwarding profiles to forward syslogs to the same SIEM, SOAR, or ticketing system.
While Enterprise DLP supports multiple Log Forwarding profiles for the same SIEM, SOAR, or ticketing system, an incorrectly configured Log Forwarding profile might cause the SIEM, SOAR, or automated ticketing system to terminate the connection with Enterprise DLP when Enterprise DLP attempts to forward a syslog.
For example, you configure your SOAR to only accept a public certificate. You then create two Log Forwarding profiles—you configure ProfileA with a private certificate and ProfileB with a public certificate. In this case, your SOAR won't accept the connection from Enterprise DLP using ProfileA because it uses a private cert and the connection either times out or terminates.
As a result, this connection time-out or termination also terminates the connection for ProfileB and might prevent some syslogs from forwarding.
Enterprise DLP forwards DLP incident and audit syslogs over a UDP or TCP port and requires a persistent connection to your SIEM, SOAR, or ticketing system. Enterprise DLP can only forward DLP incident and audit syslogs while successfully connected to your SIEM, SOAR, or ticketing system. Enterprise DLP automatically resumes forwarding your Enterprise DLP incident and audit syslogs to your SIEM, SOAR, or ticketing system after you restore connectivity. However, Enterprise DLP can't forward any syslogs generated while Enterprise DLP and your SIEM, SOAR, or ticketing system are disconnected.
Enterprise DLP sends an email to the admin who originally connected Enterprise DLP to your SIEM, SOAR, or ticketing system using the Log Forwarding profile and to the user who last modified the Log Forwarding profile settings. Enterprise DLP sends this email only once at the time of disconnect. If you update the SIEM, SOAR, or ticketing system connection settings and Enterprise DLP loses connectivity again, Enterprise DLP sends another email to notify you of the ongoing connectivity issue.
Enterprise DLP monitors the connectivity status of each syslog server profile you add and can buffer up to 30 days of syslogs per syslog server profile when it loses connectivity to your third-party SIEM, SOAR, or ticketing system. When connectivity is restored, Enterprise DLP automatically resends the buffered syslogs. This ensures a complete audit trail and continuous security monitoring. Your data security administrators can also configure an email address to receive immediate alerts about any connection failures or restorations.
Contact Palo Alto Networks Support if the connection between Enterprise DLP and your third-party SIEM, SOAR, or ticketing system is down for 7 days or more. Palo Alto Networks must assist you in forwarding buffered syslogs when connectivity is disrupted for 7 days or more.
Your syslog forwarding configuration takes 15 minutes to take effect after you add, edit, or delete a Log Forwarding profile, or when you add a Syslog server profile to a Log Forwarding profile.
Review the syslog field descriptions below for more information on the data Enterprise DLP includes in forwarded syslogs.
  • Incident LEEF and CEF Syslog Field Descriptions
    Field Name
    Description
    cat
    Event category. Always displays data_security.
    facility
    Numeric code (0- 7) that identifies the source of a log message.
    tenant_id
    Your Enterprise DLP tenant ID.
    incident_id
    Unique DLP incident identifier. Enterprise DLP assigns a unique ID to all incidents.
    report_id
    Report ID for the DLP incident. Use this ID to view additional Traffic log details for the DLP incident.
    channel
    Enforcement channel that generated the DLP incident. Can be NGFW, Prisma Access, or Endpoint DLP.
    created_at
    Time Enterprise DLP generated the incident.
    Format is YYYY-MM-DD-THH:MM:SSUTC
    file_name
    Name of the file containing sensitive data that generated the Enterprise DLP incident.
    usrName
    Name of the user who generated the Enterprise DLP incident.
    action
    Action configured in the data profile (Panorama), DLP Rule, or Endpoint DLP policy rule. Can be Alert or Block.
    source
    Name or ID of the NGFW or Prisma Access, or endpoint where the installed Prisma Access Agent forwarded traffic to Enterprise DLP that generated the incident.
    app_id
    Destination App-ID for traffic that generated an Enterprise DLP incident.
    app_name
    Name of the destination app for traffic that generated an Enterprise DLP incident.
    peripheral_id
    Product ID of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.
    peripheral_name
    Name of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.
    peripheral_type
    Type of Endpoint DLP peripheral device that generated the Enterprise DLP incident. Can be USB, Network Share, or Printer.
    policy_name
    Name of the Endpoint DLP policy rule that generated the Enterprise DLP incident.
    policy_type
    Type of Enterprise DLP policy rule that matched the traffic containing sensitive data.
    profile_name
    Name of the Enterprise DLP data profile containing the match criteria that the traffic containing sensitive data matched against.
    url
    Transactional URL where the user generated the Enterprise DLP incident.
    src
    IP address of the source that generated the Enterprise DLP incident.
    dst
    IP address of the destination that generated the Enterprise DLP incident.
    sev
    Severity of the Enterprise DLP incident. Can be informational, low, medium, high, or critical.
    snippets_url
    API URL to view the snippet of sensitive data that generated the DLP incident.
    data_pattern_results
    Data pattern containing the sensitive data match criteria that matched the detected sensitive data.
    notes
    Note added to the Case Management details of the DLP incident.
    status
    Current Case Management status of the DLP incident. Can be New, Open, Under Investigation, or Closed.
    tag
    Custom tag added to the DLP incident case in the Case Management details.
    priority
    Case priority set in the Case Management details. Can be P1, P2, P3, P4, or P5.
    modified_at
    Date and time you last modified the DLP incident Case Management details.
    asset_size
    Size of the asset that generated the DLP incident.
    source_region
    Geographic region where the traffic source for the DLP incident originated.
    panw_data_profiles
    Contains information about the data profiles that matched the sensitive content. A pipe (|) separates multiple data profiles.
    Value is a semi-structured string. Contains nested sub-fields with key-value pairs separated with commas (,) and sub-field values separated with colons (:)
    • name—Name of the data profile that matched.
    • is_parent—Displays true if a nested or granular data profile. Displays false in all other cases.
    panw_data_patterns
    Contains information about the data pattern that matched the sensitive content. A pipe (|) separates multiple data patterns.
    Value is a highly structured string. Contains nested sub-fields with key-value pairs separated with commas (,) and sub-field values separated with colons (:)
    • high_confidence_frequency—Total number of High confidence matches.
    • medium_confidence_frequency—Total number of Medium confidence matches.
    • low_confidence_frequency—Total number of Low confidence matches.
    • total_confidence_frequency—Total number of High, Medium, and Low confidence matches.
  • Audit Log LEEF and CEF Syslog Field Descriptions
    Field Name
    Description
    cat
    Event category. Always displays data_security.
    user_id
    Email of the user who made the Enterprise DLP configuration change that generated the audit log.
    audit_id
    Unique ID of the Enterprise DLP audit log.
    object_id
    Unique ID of the Enterprise DLP configuration object you created, updated, or deleted.
    event
    Type of configuration change that occurred that generated the Enterprise DLP audit log. Can be Create, Update, or Delete.
    type
    Type of Enterprise DLP configuration object you created, updated, or deleted that generated the Enterprise DLP audit log.
    tenant_id
    Your Enterprise DLP tenant ID.
    createdAt
    Time Enterprise DLP generated the audit log.
    Format is YYYY-MM-DD-THH:MM:SSUTC
    changed_from
    For a Create event, this field displays null.
    For an Update or Delete event, this field displays the original object configuration before you updated or deleted it.
    changed_to
    New Enterprise DLP configuration object state.
    For a Delete event, this field displays null.
    For a Create or Update event, this field displays the object configuration after creation or update.
  1. Allow the required IP addresses on your network to allow Enterprise DLP to forward incident and audit log syslogs.
  2. (FedRAMP only) Contact Palo Alto Networks Customer Support to open a ticket to add your server IP address and port to the Enterprise DLP allow list.
  3. Log in to Strata Cloud Manager.
  4. Select ConfigurationData Loss PreventionSettingsLogging Settings.
  5. Add Log Forwarding Profile.
  6. Enter a descriptive Log Forwarding profile Name.
  7. For the Channel, select one or more enforcement channels to which the log forwarding applies.
    Enterprise DLP forwards all DLP incident or audit syslogs based on the selected channels.
    For example, if you select NGFW and Prisma Access, Enterprise DLP forwards syslogs for all DLP incident syslogs generated from traffic originating from any NGFW and Prisma Access tenant associated with your Customer Support Portal account that has an active Enterprise DLP license. However, Enterprise DLP doesn't forward any Endpoint DLP incidents.
    Select at least one of the following options.
    • Supported Channels
      • Audit Log
      • Email DLP
      • Endpoint DLP
      • NGFW
      • Prisma Access
      • Prisma Browser
      • SaaS API (Data Security)
  8. Add a Filter to forward syslogs based on the region where the user generated the Enterprise DLP incident or audit log.
    Enterprise DLP supports multiple filters. Enterprise DLP only forwards syslogs for Channels configured in the Syslog server profile based on the region where the user generated the DLP incident or audit log.
  9. For the Syslog Server Profile, Create New Profile to define the syslog server connection settings.
    You can't delete or edit a Syslog server profile after creation. Be sure you're confident the configuration is correct before you Save the Syslog server profile and attach it to your Log Forwarding profile.
    Repeat this step to add as many Syslog server profiles as needed.
    1. Enter the Syslog Profile Name.
    2. Enter the Syslog Server IP address or Fully Qualified Domain Name (FQDN) server name.
    3. Select and enter the Syslog Port used for forwarding syslogs.
    4. Select the Syslog Facility for syslogs forwarded from Enterprise DLP.
      A SIEM, SOAR, or ticketing system uses the syslog facility numeric code to identify the source of a log message and to categorize log messages. Enterprise DLP supports Log(0) through Log(7). Enterprise DLP supports one syslog facility per Syslog server profile.
    5. Select the Connection Type to define the protocol used for communicating with your syslog server.
      Enterprise DLP supports UDP and TCP ports.
    6. (Optional) Upload the Server CA certificate used to establish trust between Enterprise DLP and your SIEM, SOAR, or ticketing system during Transport Layer Security (TLS) communication.
      Enterprise DLP currently supports Public server Certificate Authority certificates for UDP connections and Public and Private service CA certificates for TCP connections.
      If you select Private for TCP connections, Browse and upload the syslog server Certificate Authority if Enterprise DLP requires it to forward syslogs to your SIEM, SOAR, or ticketing system.
      Enterprise DLP can't encrypt UDP connections with TLS/SSL.
    7. Select the Log Format to forward to your syslog server. You can select LEEF and CEF.
    8. Enter the Recipient email address for alerts.
      This email receives alerts when Enterprise DLP loses connectivity to your SIEM, SOAR, or ticketing system or if Enterprise DLP fails to forward a syslog.
      Enterprise DLP sends an alert to this email when it successfully reconnects to your SIEM, SOAR, or ticketing system.
    9. Click Test Connection to verify you configured your Syslog server profile correctly by confirming Enterprise DLP can successfully communicate with your SIEM, SOAR, or ticketing system.
      Continue if Enterprise DLP returns Connection Successful.
      If Enterprise DLP returns Connection Failed, Enterprise DLP can't connect to your SIEM, SOAR, or ticketing system because you configured the Syslog Server or Syslog Port incorrectly, or you uploaded an invalid private Service CA certificate.
    10. Save the Syslog server profile.
  10. Enable the Log Forwarding profile.
  11. Save.
  12. Configure Enterprise DLP.