Configure Syslog Monitoring
To Use Syslog for Monitoring a Palo Alto Networks firewall, create a Syslog server profile and assign it to the log settings for each log type. Optionally, you can configure the header format used in syslog messages and enable client authentication for syslog over TLSv1.2.
- Configure a Syslog server profile.You can use separate profiles to send syslogs for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile.
- Select.DeviceServer ProfilesSyslog
- ClickAddand enter aNamefor the profile.
- If the firewall has more than one virtual system (vsys), select theLocation(vsys orShared) where this profile is available.
- For each syslog server, clickAddand enter the information that the firewall requires to connect to it:
- Name—Unique name for the server profile.
- Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server.If you configure an FQDN and useUDPtransport, if the firewall cannot resolve the FQDN, the firewall uses the existing IP address resolution for the FQDN as theSyslog Serveraddress.
- Transport—SelectTCP,UDP, orSSL(TLS) as the protocol for communicating with the syslog server. ForSSL, the firewall supports only TLSv1.2.
- Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
- Format—Select the syslog message format to use:BSD(the default) orIETF. Traditionally,BSDformat is over UDP andIETFformat is over TCP or SSL/TLS.
- Facility—Select a syslog standard value (default isLOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
- (Optional) To customize the format of the syslog messages that the firewall sends, select theCustom Log Formattab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
- ClickOKto save the server profile.
- Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs.
- Configure the firewall to forward logs. For more information, see Step Create a Log Forwarding profile.
- Select, clickObjectsLog ForwardingAdd, and enter aNameto identify the profile.
- For each log type and each severity level or WildFire verdict, select theSyslogserver profile and clickOK.
- Assign the log forwarding profile to a security policy to trigger log generation and forwarding. For more information, See Step Assign the Log Forwarding profile to policy rules and network zones.
For detailed information about configuring a log forwarding profile and assigning the profile to a policy rule, see Configure Log Forwarding.
- Selectand select a policy rule.PoliciesSecurity
- Select theActionstab and select theLog Forwardingprofile you created.
- In theProfile Typedrop-down, selectProfilesorGroups, and then select the security profiles orGroup Profilesrequired to trigger log generation and forwarding.
- For Traffic logs, select one or both of theLog at Session StartandLog At Session Endcheck boxes, and clickOK.
- Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.
- Select.DeviceLog Settings
- For System and Correlation logs, click each Severity level, select theSyslogserver profile, and clickOK.
- For Config, HIP Match, and Correlation logs, edit the section, select theSyslogserver profile, and clickOK.
- (Optional) Configure the header format of syslog messages.The log data includes the unique identifier of the firewall that generated the log. Choosing the header format provides more flexibility in filtering and reporting on the log data for some Security Information and Event Management (SIEM) servers.This is a global setting and applies to all Syslog server profiles configured on the firewall.
- Selectand edit the Logging and Reporting Settings.DeviceSetupManagement
- Select theLog Export and Reportingtab and select the Syslog HOSTNAME Format:
- FQDN(default)—Concatenates the hostname and domain name defined on the sending firewall.
- hostname—Uses the hostname defined on the sending firewall.
- ipv4-address—Uses the IPv4 address of the firewall interface used to send logs. By default, this is the MGT interface.
- ipv6-address—Uses the IPv6 address of the firewall interface used to send logs. By default, this is the MGT interface.
- none—Leaves the hostname field unconfigured on the firewall. There is no identifier for the firewall that sent the logs.
- ClickOKto save your changes.
- Create a certificate to secure syslog communication over TLSv1.2.Required only if the syslog server uses client authentication. The syslog server uses the certificate to verify that the firewall is authorized to communicate with the syslog server.Ensure the following conditions are met:
- The private key must be available on the sending firewall; the keys can’t reside on a Hardware Security Module (HSM).
- The subject and the issuer for the certificate must not be identical.
- The syslog server and the sending firewall must have certificates that the same trusted certificate authority (CA) signed. Alternatively, you can generate a self-signed certificate on the firewall, export the certificate from the firewall, and import it in to the syslog server.
- The connection to a Syslog server over TLS is validated using the Online Certificate Status Protocol (OCSP) or using Certificate Revocation Lists (CRL) so long as each certificate in the trust chain specifies one or both of these extensions. However, you cannot bypass OCSP or CRL failures so you must ensure that the certificate chain is valid and that you can verify each certificate using OCSP or CRL.
- Selectand clickDeviceCertificate ManagementCertificatesDevice CertificatesGenerate.
- Enter aNamefor the certificate.
- In theCommon Namefield, enter the IP address of the firewall sending logs to the syslog server.
- InSigned by, select the trusted CA or the self-signed CA that the syslog server and the sending firewall both trust.The certificate can’t be aCertificate Authoritynor anExternal Authority(certificate signing request [CSR]).
- ClickGenerate. The firewall generates the certificate and key pair.
- Click the certificate Name to edit it, select theCertificate for Secure Syslogcheck box, and clickOK.
- Commit your changes and review the logs on the syslog server.
- To review the logs, refer to the documentation of your syslog management software. You can also review the Syslog Field Descriptions.
- (Optional) Configure the firewall to terminate the connection to the syslog server upon FQDN refresh.When you configure a syslog server profile using a FQDN, the firewall maintains its connection to the syslog server by default in the event of an FQDN name change.For example, you have replaced an existing syslog server with a new syslog server that uses a different FQDN name. If you want the firewall to connect to the new syslog server using a new FQDN name, you can configure the firewall to automatically terminate its connection to the old syslog server and establish a connection to the new syslog server using the new FQDN name.
- Configure the firewall to terminate the connection to the syslog server upon FQDN refresh.admin>set syslogng fqdn-refresh yes
Recommended For You
Recommended videos not found.