View Logs
You can view the different log types on the firewall in a tabular format. The firewall locally stores all log files and automatically generates Configuration and System logs by default. To learn more about the security rules that trigger the creation of entries for the other types of logs, see Log Types and Severity Levels.
To configure the firewall to forward logs as syslog messages, email notifications, or Simple Network Management Protocol (SNMP) traps, Use External Services for Monitoring.
View Logs
Select a log type to view. Select Monitor > Logs. Select a log type from the list. The firewall displays only the logs you have permission to see. For example, if your administrative account does not have permission to view WildFire Submissions logs, the firewall does not display that log type when you access the logs pages. Administrative Roles define the permissions.
(Optional) Customize the log column display. Click the arrow to the right of any column header, and select Columns. Select columns to display from the list. The log updates automatically to match your selections.
View additional details about log entries. Click the spyglass ( ) for a specific log entry. The Detailed Log View has more information about the source and destination of the session, as well as a list of sessions related to the log entry. (Threat log only) Click next to an entry to access local packet captures of the threat. To enable local packet captures, see Take Packet Captures.
Next Steps... Filter Logs. Export Logs. View AutoFocus Threat Data for Logs. Configure Log Storage Quotas and Expiration Periods.
Filter Logs
Each log has a filter area that allows you to set a criteria for which log entries to display. The ability to filter logs is useful for focusing on events on your firewall that possess particular properties or attributes. Filter logs by artifacts that are associated with individual log entries.
Filter Logs
(Unified logs only) Select the log types to include in the Unified log display. Click Effective Queries ( ). Select one or more log types from the list ( traffic, threat, url, data, and wildfire). Click OK. The Unified log updates to show only entries from the log types you have selected.
Add a filter to the filter field. If the value of the artifact matches the operator (such as has or in), enclose the value in quotation marks to avoid a syntax error. For example, if you filter by destination country and use IN as a value to specify INDIA, enter the filter as ( dstloc eq “IN” ) . Click one or more artifacts (such as the application type associated with traffic and the IP address of an attacker) in a log entry. For example, click the Source and Application web-browsing of a log entry to display only entries that contain both artifacts in the log (AND search). To specify artifacts to add to the filter field, click Add Filter ( ). To add a previously saved filter, click Load Filter ( ).
Apply the filter to the log. Click Apply Filter ( ). The log will refresh to display only log entries that match the current filter.
(Optional) Save frequently used filters. Click Save Filter ( ). Enter a Name for the filter. Click OK. You can view your saved filters by clicking Load Filter ( ).
Next Steps... View Logs. Export Logs. View AutoFocus Threat Data for Logs.
Export Logs
You can export the contents of a log type to a comma-separated value (CSV) formatted report. By default, the report contains up to 2,000 rows of log entries.
Export Logs
Set the number of rows to display in the report. Select Device > Setup > Management, then edit the Logging and Reporting Settings. Click the Log Export and Reporting tab. Edit the number of Max Rows in CSV Export (up to 100,000 rows). Click OK.
Download the log. Click Export to CSV ( ). A progress bar showing the status of the download appears. When the download is complete, click Download file to save a copy of the log to your local folder. For descriptions of the column headers in a downloaded log, refer to Syslog Field Descriptions.
Next Step... Schedule Log Exports to an SCP or FTP Server.
View AutoFocus Threat Data for Logs
With a valid AutoFocus subscription, you can view AutoFocus threat intelligence data for the following artifacts in Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs:
IP address URL User agent Threat name (only for threats of the subtype virus and wildfire-virus) Filename SHA-256 hash
You can also open an AutoFocus search for log artifacts.
View AutoFocus Threat Data for Logs
Connect the firewall to AutoFocus to Enable AutoFocus Threat Intelligence. Enable AutoFocus in Panorama to view AutoFocus threat data for all Panorama log entries, including those from firewalls that are not connected to AutoFocus and/or are running PAN-OS 7.0 and earlier release versions ( Panorama > Setup > Management > AutoFocus).
Select a log type to view. Select Monitor > Logs. Select one of the following log types: Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, or Unified.
Open the AutoFocus Intelligence Summary for an artifact. Click the drop-down ( ) for an IP address, URL, user agent, threat name (subtype: virus or wildfire-virus), filename, or SHA-256 hash in any log entry. Click AutoFocus.
View the Analysis Information available in AutoFocus for the artifact.
View the number of sessions (1) logged in your firewall(s) in which the firewall detected samples associated with the artifact. Compare the WildFire verdicts (benign, malware, grayware) for global and organization samples (2) associated with the artifact. Global refers to samples from all WildFire submissions, while organization refers to only samples submitted to WildFire by your organization. Review the matching tags (3) for the artifact. AutoFocus Tags indicate whether an artifact is linked to malware or targeted attacks. Hover over a tag to view more details about the tag. Click on the ellipsis to launch AutoFocus search for the artifact. The Tags column in the AutoFocus search results displays more matching tags for the artifact.
For an IP address, domain, or URL artifact, view passive DNS history that includes the artifact. Click the Passive DNS tab. The passive DNS history is based on global DNS intelligence in AutoFocus; it is not limited to the DNS activity in your network. Passive DNS history consists of the domain request, the DNS request type, the IP address or domain returned in response to the domain request, the number of times the request was made, and the date and time the request was first seen and last seen.
View the latest samples in your network where WildFire found the artifact. Click the Matching Hashes tab, which displays the 5 most recently detected matching samples. Sample information include SHA256 hash, the file type, the date that the sample was first analyzed by WildFire, the WildFire verdict for the sample, and the date that the WildFire verdict was updated (if applicable).
Launch an AutoFocus Search for firewall artifacts. Click the link for the log artifact. AutoFocus opens in a new browser tab, with the log artifact added as a search condition.
Click a linked artifact in the tables or charts or click any of the matching tags to launch an AutoFocus search for it.
Learn more about how to use AutoFocus Search to investigate threats on your network.

Related Documentation