topic Re: Create test syslog in General Topics

Create test syslog

treese — Wed, 23 Dec 2015 15:30:24 GMT

I want to know when our PBF rule hits by sending an email when sees the syslog. I want to test this but don't want to actually fail traffic over. There are test commands on the cli but haven't been able to find how to create a false syslog. Please let me know how to create a false syslog.

Thank you

Re: Create test syslog

Brandon_Wertz — Wed, 23 Dec 2015 20:17:37 GMT

In "Log Settings" --> "Config" you can set that to send to your syslog server. Make a configuration change which should send that to your syslog server.

Re: Create test syslog

pankaku — Wed, 23 Dec 2015 22:32:08 GMT

If you want to test if your firewall is sending the logs to the syslog or not.

Step1 Configure syslog server Device>server profile configure the syslog

Step2. Log setting. select the syslog server profile for

system>information severity or for config

Step 3 Do a commit

Now if you navigate through the firewall tabs a system log of information severity will generated and firewall should send the logs to syslog. If you have selected the syslog for config as well then you will get the syslog for any config change.

Make sure the reachablilty to syslog is there. Check the service route if reachability is not there.

Hope this helps!

Re: Create test syslog

treese — Tue, 05 Jan 2016 22:28:14 GMT

Thanks for the reply.

I'm not trying to make a "config" change show up to my syslog server. I want to get a system event regarding a PBF rule to sent the alert to my email.

Re: Create test syslog

treese — Tue, 05 Jan 2016 22:30:04 GMT

I want to know when our PBF rule hits by sending an email when sees the system log.

Re: Create test syslog

abjain — Wed, 06 Jan 2016 00:39:41 GMT

So far, Palo Alto does not have capability to selectively filter system logs or alerts. Mostly such type of alerts can be implemented in some external NMS solutions.

This needs to be a feature request. I see there are feature requests already for both functionalities, i.e. ability to filter events and option to send alert on PBF monitoring events. Kindly check with the Palo Alto SE for the roadmap.

Re: Create test syslog

treese — Wed, 06 Jan 2016 16:56:24 GMT

Thank you, this would be really helpful. I've had feature request in the past, I'll add to the list.

Re: Create test syslog

ellisr — Mon, 11 Jan 2016 20:43:25 GMT

Look into 'Swatch', its a relic but works. Send events to syslog as outlined then on your Linux host enable Swatch to parse syslog data (one or more log files) and send an alert on any keyword/event ID, etc. I use this for PAN URL, system and threat logs along with Cisco ASA log events. There are a lot of Swatch options including thresholds to suppress repeat events.

Re: Create test syslog

treese — Mon, 11 Jan 2016 20:46:22 GMT

I appreciate everyone's help. I believe where I was off was our threats send emails directly from the fw to to us. The fw will send complete syslogs but unable to parse out specific objects/strings. I'll have our solarwinds send over the specifics.

Thanks again.