topic syslog forwarding in General Topics

syslog forwarding

jdprovine — Tue, 02 Jun 2015 18:45:21 GMT

I have everything configured to send syslog information from the palo alto to one of our syslog server. My issue is that none of the security policy IP ranges allows me to send the syslog information for a specific IP address that is going out to the internet at least that I can find. Any ideas would be appreciated

Re: syslog forwarding

pulukas — Wed, 03 Jun 2015 00:28:29 GMT

I'm not sure I understand the question.

syslog traffic will source from your mgmt interface and ip address.

Is your syslog server out the internet side of your Palo Alto then?

You would need a policy that permits your mgmt address out to untrust and probably a nat policy to the interface address for the traffic as well.

Re: syslog forwarding

Satish — Wed, 03 Jun 2015 07:30:06 GMT

Hi Jprovine,

I am agree with Mr. Steven, please the check the service route for syslog and check the traffic logs. traffic is allowing or blocking by firewall.

Regards

Satish

Re: syslog forwarding

jdprovine — Wed, 03 Jun 2015 12:34:01 GMT

what I am saying is that I had no problem configuring syslog to a Linux server I have. The issue is that I want to track a specific IP address, so I want to collect the traffic from and internal IP address to the internet and I want to know if there is a way to be that granular. I have created my syslog forwarder and now I am going through the security policies and adding it as an action to forward the logs to my syslog server but I am getting a lot more information than I want. Instead of a rand of 136.155.x.0-136.155.x.254 I only want the information coming from 136.155.0.64 to the internet to captured and forwarded to the syslog server.

Re: syslog forwarding

Satish — Wed, 03 Jun 2015 16:59:16 GMT

Hi Jprovine,

As my understand, you need to create custom report as per your requirement but i am sure about it. it will work or not.

Regards

Satish

Re: syslog forwarding

jdprovine — Wed, 03 Jun 2015 18:13:16 GMT

No I am forwarding from the PA logs to an external log server

Re: syslog forwarding

Harshit — Wed, 03 Jun 2015 18:35:27 GMT

My 2 cents and i am pretty sure you would have done it, but to make sure:

please have a standalone syslog server, create a security policy that specifically works on the interested ip address and then forward it to syslog server.

with that you should only see the traffic generated by that particular ip.

Regards,

~Harry

Re: syslog forwarding

jdprovine — Wed, 03 Jun 2015 18:47:27 GMT

Hi Harry

Yes I had been thinking that very thing

I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative?

Re: syslog forwarding

Harshit — Wed, 03 Jun 2015 19:27:55 GMT

Hi,

thanks, if you put that above the rest of the traffic, it should not affect anything else, palo would simply see it as another acl,

you may,get a warning when commiting that the rules are shadowing, but it's fair to live with,

if your bottom rules have a broader ip range, like a subnet , and the above rule has just an ip, it should not show that warning.too.

let me know how it goes.

Regards,

~Harry

Re: syslog forwarding

jdprovine — Wed, 03 Jun 2015 19:32:55 GMT

Have you ever know of anyone to try to be this granular in the collection of logs?

Re: syslog forwarding

pulukas — Sat, 06 Jun 2015 13:11:29 GMT

Typically we gather all the syslog data to the syslog server then use that server's reporting feature to pull out the information on the specific ip address across all systems that are logging, rather than only log for one ip address in traffic.

Re: syslog forwarding

jdprovine — Mon, 08 Jun 2015 12:47:36 GMT

This is how my management has requested it be done so and how the our PA rep send it could be done so we are trying it

Re: syslog forwarding

pulukas — Mon, 08 Jun 2015 22:26:28 GMT

jprovine wrote:

Yes I had been thinking that very thing

You will need to be careful about shadowing rules with this approach. And you are correct that to only syslog for these particular addresses you will need to isolate them to their own rules. then the log portion of the rule will contain your syslog server but none of your other rules will contain this log forwarding profile.

If you create the rule too broadly you can give this user or segment more access than they should have so be careful with the rule construction.

the safest approach would be to clone every rule this address may match and make the first of the two rules only have this ip address as the source or destination with the rest of the rule the same.

Re: syslog forwarding

jdprovine — Tue, 09 Jun 2015 12:54:11 GMT

I configured it and got it working with no shadowing and without compromising security

Re: syslog forwarding

pulukas — Tue, 09 Jun 2015 21:22:05 GMT

Glad to hear you have it all worked out.