End-of-Life (EoL)

Configure Syslog Monitoring

To Use Syslog for Monitoring a Palo Alto Networks firewall, create a Syslog server profile and assign it to the log settings for each log type. Optionally, you can configure the header format used in syslog messages and enable client authentication for syslog over SSL.
  1. Configure a Syslog server profile.
    You can use separate profiles to send syslogs for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile.
    1. Select
      Device
      Server Profiles
      Syslog
      .
    2. Click
      Add
      and enter a
      Name
      for the profile.
    3. If the firewall has more than one virtual system (vsys), select the
      Location
      (vsys or
      Shared
      ) where this profile is available.
    4. For each syslog server, click
      Add
      and enter the information that the firewall requires to connect to it:
      • Name
        —Unique name for the server profile.
      • Syslog Server
        —IP address or fully qualified domain name (FQDN) of the syslog server.
      • Transport
        —Select TCP, UDP, or SSL as the method of communication with the syslog server.
      • Port
        —The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
      • Format
        —Select the syslog message format to use:
        BSD
        (the default) or
        IETF
        . Traditionally,
        BSD
        format is over UDP and
        IETF
        format is over TCP or SSL.
      • Facility
        —Select a syslog standard value (default is
        LOG_USER
        ) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
    5. (
      Optional
      ) To customize the format of the syslog messages that the firewall sends, select the
      Custom Log Format
      tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
    6. Click
      OK
      to save the server profile.
  2. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs.
      1. Select
        Objects
        Log Forwarding
        , click
        Add
        , and enter a
        Name
        to identify the profile.
      2. For each log type and each severity level or WildFire verdict, select the
        Syslog
        server profile and click
        OK
        .
  3. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.
    1. Select
      Device
      Log Settings
      .
    2. For System and Correlation logs, click each Severity level, select the
      Syslog
      server profile, and click
      OK
      .
    3. For Config, HIP Match, and Correlation logs, edit the section, select the
      Syslog
      server profile, and click
      OK
      .
  4. (
    Optional
    ) Configure the header format of syslog messages.
    The log data includes the unique identifier of the firewall that generated the log. Choosing the header format provides more flexibility in filtering and reporting on the log data for some Security Information and Event Management (SIEM) servers.
    This is a global setting and applies to all syslog server profiles configured on the firewall.
    1. Select Device > Setup > Management and edit the Logging and Reporting Settings.
    2. Select the
      Log Export and Reporting
      tab and select the Syslog HOSTNAME Format:
      • FQDN
        (default)—Concatenates the hostname and domain name defined on the sending firewall.
      • hostname
        —Uses the hostname defined on the sending firewall.
      • ipv4-address
        —Uses the IPv4 address of the firewall interface used to send logs. By default, this is the MGT interface.
      • ipv6-address
        —Uses the IPv6 address of the firewall interface used to send logs. By default, this is the MGT interface.
      • none
        —Leaves the hostname field unconfigured on the firewall. There is no identifier for the firewall that sent the logs.
    3. Click
      OK
      to save your changes.
  5. Create a certificate to secure syslog communication over SSL.
    Required only if the syslog server uses client authentication. The syslog server uses the certificate to verify that the firewall is authorized to communicate with the syslog server.
    Ensure the following conditions are met:
    • The private key must be available on the sending firewall; the keys can’t reside on a Hardware Security Module (HSM).
    • The subject and the issuer for the certificate must not be identical.
    • The syslog server and the sending firewall must have certificates that the same trusted certificate authority (CA) signed. Alternatively, you can generate a self-signed certificate on the firewall, export the certificate from the firewall, and import it in to the syslog server.
    1. Select
      Device
      > Certificate Management > Certificates > Device Certificates
      and click
      Generate
      .
    2. Enter a
      Name
      for the certificate.
    3. In the
      Common Name
      field, enter the IP address of the firewall sending logs to the syslog server.
    4. In
      Signed by
      , select the trusted CA or the self-signed CA that the syslog server and the sending firewall both trust.
      The certificate can’t be a
      Certificate Authority
      nor an
      External Authority
      (certificate signing request [CSR]).
    5. Click
      Generate
      . The firewall generates the certificate and key pair.
    6. Click the certificate Name to edit it, select the
      Certificate for Secure Syslog
      check box, and click
      OK
      .
  6. Commit your changes and review the logs on the syslog server.
    1. Click
      Commit
      .
    2. To review the logs, refer to the documentation of your syslog management software. You can also review the Syslog Field Descriptions.

Recommended For You