>
    Strata Copilot
    View and Manage Logs
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Monitoring
    4. View and Manage Logs
    Download PDF
    Next-Generation Firewall

    View and Manage Logs

    Table of Contents

    View and Manage Logs

    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • Support license
    • (Panorama) Device management license
    A log is an automatically generated, time-stamped file that provides an audit trail for system events on the firewall or network traffic events that the firewall monitors. Log entries contain artifacts, which are properties, activities, or behaviors associated with the logged event, such as the application type or the IP address of an attacker. Each log type records information for a separate event type, ensuring a structured approach to data collection. For example, the firewall generates a Threat log. This specialized log captures entries whenever network traffic aligns with a configured spyware, vulnerability, or virus signature. It also records instances of Denial-of-Service (DoS) attacks that meet predefined thresholds, such as those configured for port scan or host sweep activities, signaling potential malicious intent. This segregation by log type allows administrators to focus on specific security or operational aspects.
    You can utilize various functions to manage these logs. This includes reviewing different Log Types and Severity Levels, and accessing them through View Logs. To refine their analysis, you can Filter Logs based on specific criteria. For record-keeping or offline analysis, the system supports Exporting Logs, with a dedicated Use Case: Export Traffic Logs for a Date Range provided. Furthermore, firewalls allow you to Configure Log Storage Quotas and Expiration Periods to manage disk space, and Schedule Log Exports to an SCP or FTP Server for long-term archiving and integration with external systems.

    View Logs

    You can view the different log types on the firewall in a tabular format. The firewall locally stores all log files and automatically generates Configuration and System logs by default. To learn more about the security rules that trigger the creation of entries for the other types of logs, see Log Types and Severity Levels.
    To configure the firewall to forward logs as syslog messages, email notifications, or Simple Network Management Protocol (SNMP) traps, Use External Services for Monitoring.
    1. Select a log type to view.
      1. Select MonitorLogs.
      2. Select a log type from the list.
        The firewall displays only the logs you have permission to see. For example, if your administrative account does not have permission to view WildFire Submissions logs, the firewall does not display that log type when you access the logs pages. Administrator Role Types define the permissions.
    2. (Optional) Customize the log column display.
      1. Click the arrow to the right of any column header, and select Columns.
      2. Select columns to display from the list. The log updates automatically to match your selections.
    3. View additional details about log entries.
      • Click the spyglass ( 
         ) for a specific log entry. The Detailed Log View has more information about the source and destination of the session, as well as a list of sessions related to the log entry.
      • (Threat log only) Click
        next to an entry to access local packet captures of the threat. To enable local packet captures, see Take Packet Captures.
      • (Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs only) View AutoFocus threat data for a log entry.
        1. Enable AutoFocus.
          Enable AutoFocus in Panorama to view AutoFocus threat data for all Panorama log entries, including those from firewalls that are not connected to AutoFocus and/or are running PAN-OS 7.0 and earlier release versions (PanoramaSetupManagementAutoFocus).
        2. Hover over an IP address, URL, user agent, threat name (subtype: virus and wildfire-virus only), filename, or SHA-256 hash.
        3. Click the drop-down ( 
           ) and select AutoFocus.
        4. Content Delivery Network Infrastructure.
    Next Steps...
    • Filter Logs.
    • Export Logs.
    • Configure Log Storage Quotas and Expiration Periods.

    Filter Logs

    Each log has a filter area that allows you to set a criteria for which log entries to display. The ability to filter logs is useful for focusing on events on your firewall that possess particular properties or attributes. Filter logs by artifacts that are associated with individual log entries.
    For example, filtering by the rule UUID makes it easier to pinpoint the specific rule you want to locate, even among many similarly-named rules. If your ruleset is very large and contains many rules, using the rule’s UUID as a filter spotlights the particular rule you need to find without having to navigate through pages of results.
    1. (Unified logs only) Select the log types to include in the Unified log display.
      1. Click Effective Queries ( 
         ).
      2. Select one or more log types from the list (traffic, threat, url, data, and wildfire).
      3. Click OK. The Unified log updates to show only entries from the log types you have selected.
    2. Add a filter to the filter field.
      If the value of the artifact matches the operator (such as has or in), enclose the value in quotation marks to avoid a syntax error. For example, if you filter by destination country and use IN as a value to specify INDIA, enter the filter as ( dstloc eq “IN” ).
      • Click one or more artifacts (such as the application type associated with traffic and the IP address of an attacker) in a log entry. For example, click the Source 10.0.0.25 and Application web-browsing of a log entry to display only entries that contain both artifacts in the log (AND search).
      • To specify artifacts to add to the filter field, click Add Filter ( 
         ).
      • To add a previously saved filter, click Load Filter ( 
         ).
    3. Apply the filter to the log.
      Click Apply Filter ( 
       ). The log will refresh to display only log entries that match the current filter.
    4. (Optional) Save frequently used filters.
      1. Click Save Filter ( 
         ).
      2. Enter a Name for the filter.
      3. Click OK. You can view your saved filters by clicking Load Filter ( 
         ).
      Next Steps...
      • View Logs.
      • Export Logs.

    Export Logs

    You can export the contents of a log type to a comma-separated value (CSV) formatted report. By default, the report contains up to 2,000 rows of log entries.
    1. Set the number of rows to display in the report.
      1. Select DeviceSetupManagement, then edit the Logging and Reporting Settings.
      2. Click the Log Export and Reporting tab.
      3. Edit the number of Max Rows in CSV Export (up to 1048576 rows).
      4. Click OK.
    2. Download the log.
      1. Click Export to CSV ( 
         ). A progress bar showing the status of the download appears.
      2. When the download is complete, click Download file to save a copy of the log to your local folder. For descriptions of the column headers in a downloaded log, refer to Syslog Field Descriptions.
      Next Step...
      Schedule Log Exports to an SCP or FTP Server.

    Use Case: Export Traffic Logs for a Date Range

    This example provides information and tips for filtering and exporting traffic logs for a specific date range. Examples of date range filters for Traffic logs are:
    • All Traffic for a specific date (yyyy/mm/dd) and time (hh:mm:ss)
    • All Traffic received on or before the date (yyyy/mm/dd) and time (hh:mm:ss)
    • All Traffic received on or after the date (yyyy/mm/dd) and time (hh:mm:ss)
    • All Traffic received between the date-time range of yyyy/mm/dd hh:mm:ss and yyyy/mm/dd hh:mm:ss (this use case)
    To filter for traffic received between a date and time range,
    1. Select MonitorLogs.
    2. Select the Traffic log type.
    3. Add the filter to the filter field.
      For example, to export Traffic logs from 08/03/2023 to 08/04/2023, add (receive_time geq '2023/08/03 00:00:00') and (receive_time leq '2023/08/04 23:59:59') to the filter field and Apply Filter.
    4. Export to CSV.
      Use smaller date ranges or reduce the Max Rows in CSV Export if your exported log file does not include the complete results expected.
    5. Download the exported file.

    Configure Log Storage Quotas and Expiration Periods

    The firewall automatically deletes logs that exceed the expiration period. When the firewall reaches the storage quota for a log type, it automatically deletes older logs of that type to create space even if you don’t set an expiration period.
    If you want to manually delete logs, select DeviceLog Settings and, in the Manage Logs section, click the links to clear logs by type.
    1. Select DeviceSetupManagement and edit the Logging and Reporting Settings.
    2. Select Log Storage and enter a Quota (%) for each log type. When you change a percentage value, the dialog refreshes to display the corresponding absolute value (Quota GB/MB column).
    3. Enter the Max Days (expiration period) for each log type (range is 1-2,000). The fields are blank by default, which means the logs never expire.
      The firewall synchronizes expiration periods across high availability (HA) pairs. Because only the active HA peer generates logs, the passive peer has no logs to delete unless failover occurs and it starts generating logs.
    4. Click OK and Commit.

    Schedule Log Exports to an SCP or FTP Server

    You can schedule exports of Traffic, Threat, URL Filtering, Data Filtering, HIP Match, and WildFire Submission logs to a Secure Copy (SCP) server or File Transfer Protocol (FTP) server. Perform this task for each log type you want to export.
    You can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another firewall. Because the log database is too large for an export or import to be practical on the following platforms, they do not support these options: PA-7000 Series firewalls (all PAN-OS releases), Panorama virtual appliance running Panorama 6.0 or later releases, and Panorama M-Series appliances (all Panorama releases).
    1. Select DeviceScheduled Log Export and click Add.
    2. Enter a Name for the scheduled log export and Enable it.
    3. Select the Log Type to export.
    4. Select the daily Scheduled Export Start Time. The options are in 15-minute increments for a 24-hour clock (00:00 - 23:59).
    5. Select the Protocol to export the logs: SCP (secure) or FTP.
    6. Enter the Hostname or IP address of the server.
    7. Enter the Port number. By default, FTP uses port 21 and SCP uses port 22.
    8. Enter the Path or directory in which to save the exported logs.
    9. Enter the Username and, if necessary, the Password (and Confirm Password) to access the server.
    10. (FTP only) Select Enable FTP Passive Mode if you want to use FTP passive mode, in which the firewall initiates a data connection with the FTP server. By default, the firewall uses FTP active mode, in which the FTP server initiates a data connection with the firewall. Choose the mode based on what your FTP server supports and on your network requirements.
    11. (SCP only) Click Test SCP server connection.
      (PAN-OS 10.2.4 and later releases) A pop-up window is displayed requiring you to enter a clear text Passwordand then to Confirm Password in order to test the SCP server connection and enable the secure transfer of data. The firewall does not establish and test the SCP server connection until you enter and confirm the SCP server password. If the firewall is in an HA configuration, perform this step on each HA peer so that each one can successfully connect to the SCP server. If the firewall can successfully connect to the SCP server, it creates and uploads the test file named ssh-export-test.txt.
      If you use a Panorama template to configure the log export schedule, you must perform this step after committing the template configuration to the firewalls. After the template commit, log in to each firewall, open the log export schedule, and click Test SCP server connection.
    12. Click OK and Commit.

    © 2025 Palo Alto Networks, Inc. All rights reserved.