Forward GlobalProtect Logs to an External Service in PAN-OS

You can forward GlobalProtect logs to an external service in PAN-OS.
In PAN-OS, you can forward GlobalProtect logs to an external service such as a syslog receiver or ticketing system. In cases where some teams in your organization can achieve greater efficiency by monitoring only the GlobalProtect logs that are relevant to their operations, you can create forwarding filters based on GlobalProtect log attributes. For example, you can filter by:
  • GlobalProtect authentication events generated by GlobalProtect (type eq globalprotect)
    GlobalProtect authentication events generated by the authentication service (type eq auth) remain in
    Monitor
    Logs
    System
    .
  • All other GlobalProtect events (non-authentication)
Palo Alto Networks firewalls forward GlobalProtect logs using the following format. To facilitate parsing, the delimiter is a comma: each field is a comma-separated value (CSV) string.
Format:
domain, receive_time, serial, seqno, actionflags, type, subtype, config_ver, time_generated, vsys, eventid, stage, auth_method, tunnel_type, srcuser, srcregion, machinename, public_ip, public_ipv6, private_ip, private_ipv6, hostid, serialnumber, client_ver, client_os, client_os_ver, repeatcnt, reason, error, opaque, status, location, login_duration, connect_method, error_code, portal
  1. In PAN-OS, configure log forwarding for GlobalProtect logs.
  2. Configure a server profile for each external service that will receive log information.
  3. Configure the destinations for GlobalProtect logs.
    You can also add or remove tags from a source or destination IP address in a log entry.
  4. Commit and verify your changes.

Recommended For You