>
    Strata Copilot
    Syslog Server Support in Prisma SD-WAN
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Sites and Devices
    5. Use External Services for Monitoring
    6. Syslog Server Support in Prisma SD-WAN
    Download PDF
    Prisma SD-WAN

    Syslog Server Support in Prisma SD-WAN

    Table of Contents

    Syslog Server Support in Prisma SD-WAN

    Prisma SD-WAN Syslog is a protocol through which network devices send event messages over User Datagram Protocol (UDP) /Transmission Control Protocol (TCP) to a Syslog server.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    Prisma SD-WAN ION devices provide Syslog support to log and export flow and event information to Syslog servers.
    Syslog is a protocol through which network devices send event messages over User Datagram Protocol (UDP) /Transmission Control Protocol (TCP) to a Syslog server. As a wide range of devices support the protocol, you may use it to log different events. For example, device user session logins or access-denied events are some of the events you may send to a Syslog server.
    A Syslog server can reside inside or outside of a branch or a data center or in the cloud. The maximum number of Syslog servers supported per ION device is 16. The ION devices use the Syslog protocol to:
    • Forward device events such as alerts and alarms to a remote Syslog server(s).
    • Forward device Authentication logs to a remote Syslog server(s).
    • Forward flow logs to a remote Syslog server(s).

    Event Logs

    Event logs are generated in response to alerts and alarms in the device. Below is a sample event log message sent to a Syslog server.
    Feb 14 10:38:11 172.20.75.186 alert: CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:36:49.000" STATUS="Not cleared" CODE="DEVICESW_GENERAL_PROCESSRESTART"SEVERITY="informational" PROCESS_NAME="event_forward" ELEMENT_ID="15174644824510129"Feb 14 10:38:11 172.20.75.186 alert: CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:37:22.000" STATUS="Not cleared" CODE="DEVICESW_GENERAL_PROCESSRESTART"SEVERITY="informational" PROCESS_NAME="scm" ELEMENT_ID="15174644824510129"

    Authentication Logs

    Authentication logs are generated when a user is authenticated to login to the device. Below is a sample Auth log message sent to a Syslog server.
    Feb 14 10:44:58 172.20.75.186 log: CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:44:58.881Z" MSG="sshd-login keyboard-interactive/pam" SEVERITY="informational"PROCESS_NAME="sshd" FACILITY="auth" USER="elem-admin" ELEMENT_ID="15174644824510129"
    While configuring Syslog export on the device, you can filter using severity levels for logs/events to export to the Syslog server. You may configure severity levels as Informational, Warning, or Critical. The default severity level is Informational.
    When you set a severity level for a device, logs and events for the selected severity level and higher are exported to the Syslog server. For example, if the chosen severity level is Critical, then all warnings and critical events and logs will be forwarded to the Syslog server.

    Related CLIs

    © 2026 Palo Alto Networks, Inc. All rights reserved.