topic Re: Sending user logins via Syslog in General Topics

Sending user logins via Syslog

eharvey — Wed, 19 Sep 2012 14:18:21 GMT

Hi all,

I have not found a way to send user logins to an external syslog server. I have traffic allows/denies coming through successfully, and "misc. system events." Is there a custom configuration that needs to be done to get user login date/time? We need this for compliance.

Thanks,

Eric H.

Re: Sending user logins via Syslog

essnet — Wed, 19 Sep 2012 14:26:46 GMT

Objects -> Logging Profiles -> SNMP Traps/Syslog

Apply new profile to the rules you wish and also in Device->Log Settings->System

Works great here.

Re: Sending user logins via Syslog

eharvey — Wed, 19 Sep 2012 16:57:26 GMT

I appreciate the attempt, but that's a pretty vague answer. I already have syslog configured correctly and am capturing logs. My question was pertaining to whether there was something I was missing. I don't see anything for "user logins" on my syslog appliance.

Re: Sending user logins via Syslog

sdurga — Wed, 19 Sep 2012 17:47:53 GMT

Hi Eric,

System logs on the PAN will have the login information of the users. So you can forward the system logs to the Syslog server. You can forward systems log's to the server like below. System logs will have all kinds of information related to the device so if you do not want all the info and need just the login information in the Syslog's, try just forwarding informational system logs.

Re: Sending user logins via Syslog

eharvey — Wed, 19 Sep 2012 17:58:21 GMT

Thank you. I thought the 'Panorama' option was only used for a separate piece of hardware provided by Palo Alto. Maybe I do not have the correct information.

Re: Sending user logins via Syslog

sdurga — Wed, 19 Sep 2012 18:24:47 GMT

I think there is a confusion here. In the above the pic the "panorama" option is enabled to send logs to panorama, but if you scroll to the right hand corner you will see an option for syslog. In the picture you can see "pc" under syslog. "pc" is my syslog server profile. So I am forwarding my PAN system logs to syslog server that is configured in the syslog server profile named "pc". So I am forwarding severity of low medium and high to the syslog server and not forwarding informational to the syslog server. You need to forward informational also as you need login information in the syslog server.