Syslog Server Support in Prisma SD-WAN

Learn more about the syslog server support in Prisma SD-WAN.
Prisma SD-WAN ION devices provide Syslog support to log and export flow and event information to Syslog servers.
Syslog is a protocol through which network devices send event messages over User Datagram Protocol (UDP) /Transmission Control Protocol (TCP) to a Syslog server. As a wide range of devices support the protocol, you may use it to log different events. For example, device user session logins or access-denied events are some of the events you may send to a Syslog server.
A Syslog server can reside inside or outside of a branch or a data center or in the cloud. The maximum number of Syslog servers supported per ION device is 16. The ION devices use the Syslog protocol to:
  • Forward device events such as alerts and alarms to a remote Syslog server(s).
  • Forward device Authentication logs to a remote Syslog server(s).
  • Forward flow logs to a remote Syslog server(s).

Event Logs

Event logs are generated in response to alerts and alarms in the device. Below is a sample event log message sent to a Syslog server.
Feb 14 10:38:11 alert: CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:36:49.000" STATUS="Not cleared" CODE="DEVICESW_GENERAL_PROCESSRESTART"SEVERITY="minor" PROCESS_NAME="event_forward" ELEMENT_ID="15174644824510129"Feb 14 10:38:11 alert: CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:37:22.000" STATUS="Not cleared" CODE="DEVICESW_GENERAL_PROCESSRESTART"SEVERITY="minor" PROCESS_NAME="scm" ELEMENT_ID="15174644824510129"

Authentication Logs

Authentication logs are generated when a user is authenticated to login to the device. Below is a sample Auth log message sent to a Syslog server.
Feb 14 10:44:58 log: CLOUDGENIX_HOST="ion7k-Hub" DEVICE_TIME="2018-02-14T10:44:58.881Z" MSG="sshd-login keyboard-interactive/pam" SEVERITY="minor"PROCESS_NAME="sshd" FACILITY="auth" USER="elem-admin" ELEMENT_ID="15174644824510129"

