Selective Log Forwarding Based on Log Attributes

To maximize the efficiency of your incident response and monitoring operations, you can now create custom log forwarding filters based on any log attributes (such as threat type or source user). Instead of forwarding all logs or all logs of specific severity levels, you can use the filters to forward just the information you want to monitor or act on. For example, a security operations analyst who investigates malware attacks might be interested only in Threat logs with the type attribute set to wildfire-virus.
  1. Configure a server profile for each external service that will receive logs from the firewall. The profiles define how the firewall connects to the services.
    For example, to configure an HTTP server profile, select
    Device
    Server Profiles
    HTTP
    and
    Add
    the profile.
  2. Select
    Objects
    Log Forwarding
    and
    Add
    a Log Forwarding profile to define the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
    In each Log Forwarding profile,
    Add
    one or more
    match list profiles
    to specify log query filters, forwarding destinations, and automatic actions such as tagging.
    log_forwarding_and_match_list_profiles.png
    In each match list profile, select
    Filter
    Filter Builder
    and
    Add
    filters based on log attributes.
    filter_builder.png
  3. Assign the Log Forwarding profile to policy rules and network zones.
    The firewall generates and forwards logs based on traffic that matches the rules and zones. Security, Authentication, and DoS Protection rules support log forwarding. For example, to assign the profile to a Security rule, select
    Policies
    Security
    , edit the rule, select
    Actions
    , and select the
    Log Forwarding
    profile you created.
  4. Select
    Device
    Log Settings
    and configure the destinations for System, Configuration, User-ID, HIP Match, and Correlation logs. For each log type that the firewall will forward,
    Add
    one or more match list profiles as you did in the Log Forwarding profile.
  5. (
    PA-7000 Series firewalls only
    ) Select
    Network
    Interfaces
    Ethernet
    and
    Add Interface
    to configure a log card interface for log forwarding.
  6. Commit
    your changes.
  7. Verify the log destinations you configured are receiving firewall logs:

Related Documentation