PAN-OS 10.1 introduces the ability to track web administrator activity in the web interface and command line interface (CLI) of firewalls, Panorama™ management server, and Log Collectors for audit purposes. By tracking administrator activity in the web interface and CLI, you can achieve real time reporting of activity across your deployment. If you have reason to believe an administrator account is compromised, you have a full history of where this administrator account navigated throughout the web interface or what operational commands they executed so you can analyze in detail and respond to all actions the compromised administrator took.

An event occurs and generates an audit log, which is forwarded to the specified syslog server each time you navigate through the web interface or when you execute an operational command in the CLI. Each navigation or command executed generates an audit log. Take for example if you want to create a new address object. You generate one audit log when you click Objects, and a second audit log when you then click Addresses. Audit logs can only be forwarded to a syslog server, cannot be forwarded to Cortex Data Lake (CDL), and are not stored locally on the firewall, Panorama, or Log Collector.