topic Re: PA syslogs and change logs in General Topics

PA syslogs and change logs

jdprovine — Wed, 28 Oct 2015 14:15:15 GMT

Is it possible to send the syslogs for only the system changes from the pa to solarwinds? How to you configure the PA to send the change logs to solarwinds?

Re: PA syslogs and change logs

rmonvon — Thu, 29 Oct 2015 19:06:05 GMT

Hi...Yes, you can forward config logs from the PA to any syslog server including SolarWinds.

Re: PA syslogs and change logs

jdprovine — Thu, 29 Oct 2015 20:23:32 GMT

I only want to send system and config changes to the solarwinds server is that done through snmp traps only and how is that configured?

Re: PA syslogs and change logs

Brandon_Wertz — Thu, 29 Oct 2015 21:02:53 GMT

In "Device" --> "Log Settings" --> "System" and "Config" just use a configured Syslog profile to send have the desired logs sent to the configured syslog profile

--Edit--

The same can be said for SNMP.

Re: PA syslogs and change logs

jdprovine — Fri, 30 Oct 2015 12:36:46 GMT

So what works better system and config sent by syslog or by snmp traps?

Re: PA syslogs and change logs

Brandon_Wertz — Fri, 30 Oct 2015 14:47:06 GMT

I don't think there's a "better," more to do with which you can use...I played with the idea of using SNMP for "important" stuff and syslog for general logs, but in the end I just went with syslog.

Re: PA syslogs and change logs

jdprovine — Fri, 30 Oct 2015 18:18:39 GMT

Well the thing is I don't think they can handle or want to deal with threat logs on solarwinds

Re: PA syslogs and change logs

jdprovine — Tue, 03 Nov 2015 15:34:57 GMT

I don't see where you can choose to only send config and system logs using syslog server

Re: PA syslogs and change logs

OtakarKlier — Tue, 03 Nov 2015 17:51:33 GMT

That piece is under the log settings. Device-> Log Settings ->System.

Re: PA syslogs and change logs

jdprovine — Wed, 04 Nov 2015 13:41:09 GMT

Yes I found that so it that better than using the syslogs? Can you narrow down the syslogs and only send config and system logs no threat logs. I already have snmp traps configured and added to the location you are recommending and its not giving us what we need on solarwinds

Re: PA syslogs and change logs

OtakarKlier — Wed, 04 Nov 2015 23:51:23 GMT

Hello,

Yes this is possible as the threat logs are set in a different locations. So you can have only Config and System logs sent to your SIEM or logg collector and the threat and traffic stay on the PAN or Panorama.

Regards,

Re: PA syslogs and change logs

jdprovine — Thu, 05 Nov 2015 13:54:35 GMT

How do you do it?

Re: PA syslogs and change logs

OtakarKlier — Thu, 05 Nov 2015 14:29:52 GMT

Hello,

I'm going to guess at what you are asking:

You will first need to setup a syslog profile Device -> Server Profile -> Syslog

System logs are configured under Device ->Log Settings -> System

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-System-Logs-to-Syslog-Server/ta-p/61804

Config logs are configured under Device ->Log Settings -> Config

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Config-Logs-to-Syslog-Server/ta-p/52099

Thats is if that is all you wish to send outside of the PAN.

To export Threat and Traffic logs:

Setup a log forwarder: Objects -> Log Forwarding

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Threat-Logs-to-Syslog-Server/ta-p/59980

To have policies that are triggered to be sent exteranlly:

Within each policy: Policy -> Security -> 'Edit the Policy' -> Actions -> Log forwarding 'Select the Log forwarder you already setup'

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Traffic-Logs-to-Syslog-Server/ta-p/62154

Hope this helps.

Re: PA syslogs and change logs

jdprovine — Thu, 05 Nov 2015 22:14:04 GMT

Yes but I don't want to send the threat logs to the solarwinds server. I don't see where this is being excluded

Re: PA syslogs and change logs

OtakarKlier — Mon, 09 Nov 2015 18:49:20 GMT

It doesnt have to be excluded. If you dont setup the traffic logs to forward, they will not send to the SIEM.

Re: PA syslogs and change logs

jdprovine — Mon, 09 Nov 2015 20:46:41 GMT

So are you saying if I set up a syslog server for solarwinds and go to device\logging setting\config and add it there it will only send config changes and system logs to the solarwinds server? I have snmp traps on that location too but it can probably be replaced with the syslog server

Re: PA syslogs and change logs

OtakarKlier — Mon, 09 Nov 2015 20:55:21 GMT

That just sets up the PAN to send config changes, you would also need to go to Device->LogSettings->System and configure which type of system logs you would like to send.

Neither of the above settings are for the traffic or threat logs.

Re: PA syslogs and change logs

jdprovine — Mon, 09 Nov 2015 21:23:51 GMT

By type you mean informationanl critical, high etc

Re: PA syslogs and change logs

OtakarKlier — Mon, 09 Nov 2015 22:13:54 GMT

For the system logs, correct. Config logs is all or none. Makes sense that way, to me at least.

Re: PA syslogs and change logs

jdprovine — Tue, 10 Nov 2015 13:47:18 GMT

Right now I have snmp traps enabled by going to device\server profiles\snmp traps. I went to device\log settings\system and configured snmp traps for the high and critca alerts then I added the snmp trap profile to device\log settings\config

My other option is to go to the device\server profiles\syslog and create a syslog server profile and then add it to to device\log settings\config. In this option I don't see a way to pick and choose what information goes to the solarwinds server. It looks like to me that all the traffic, threat logs everything goes to the solar wind server.

To me it looks like the syslogs server sends far more informaiton than the snmp traps does but it also sends much more than system and configuration changes.