Configure Prisma SaaS Syslog Monitoring

Use these steps to configure a syslog server profile on Prisma SaaS.
Prisma SaaS supports the following log types:
  • Incidents log
  • Policy Violation log
  • Remediation log
  • Activity Monitoring log
  • Admin Audit log
  1. Select
    Settings
    External Service
    .
  2. Click
    Add a Syslog Receiver
    to create a Syslog server profile.
    You can add only external service — forward logs to a syslog receiver or Add Your API Client App to Prisma SaaS.
  3. Enter a
    Name
    for the profile.
  4. Add
    the information Prisma SaaS requires to connect to it:
    • Name
      —Unique name for the server profile.
    • Server IP
      —IP address or fully qualified domain name (FQDN) of the syslog server.
    • Port
      —The port number on which you send syslog messages. You must use the same port number for Prisma SaaS and the syslog server.
    • Facility
      —Select a syslog standard value (for example,
      LOG_USER
      ) to calculate the priority (PRI) field in your syslog server implementation. The PRI part of the syslog message represents the Facility and Severity of the message. Select the value that maps to how you use the PRI field to manage your syslog messages. Values can be
      LOG_USER
      or
      LOG_LOCAL0
      through
      LOG_LOCAL7
      . There is no default.
    • Message format
      —Select the syslog message format to use:
      BSD
      (the default) or
      IETF
      . Traditionally,
      IETF
      format is used over TCP or SSL.
  5. Save your changes.
  6. On the Syslog server, make sure the TLS options in the syslog configuration file are set to:
    peer-verify (optional-untrusted)

Related Documentation