topic Re: How custom forward logs to syslog server in General Topics

How custom forward logs to syslog server

Arezoo — Thu, 11 Feb 2016 16:27:11 GMT

We are sending all logs from Palo to SIEM. How can we eliminate those of low or no value to us (exp. Allow_TCP_End) to be sent to syslog server? The server fills up quickly and there's a large amount of logs that provide no insight during analysis; we would like to NOT forward such logs. In other words, how pick and choose which event logs to send to syslog server? Thank you.

Re: How custom forward logs to syslog server

pankaku — Thu, 11 Feb 2016 16:34:25 GMT

Under the log-forwarding profile you can change the severity.

Re: How custom forward logs to syslog server

mvidic — Fri, 12 Feb 2016 07:06:20 GMT

If you do not wish to log allowed sessions you can remove log forwarding from the rules that allow traffic.

If you only wish to log detected viruses in allowed traffic for example you can create a log forwarding profile with no log forwarding under the traffic settings and enabled log forwarding under the Threat settings.

Unfortunately we are quite limited when it comes to forwarding of system logs. Under Device > Log settings you can only select the severity of the system logs that will be forwarded. Unfortunately you cannot change severity of a certain event (for example failed admin logon). The result of this is that you cannot tune which events you wish to forward and which you don't and you will always end up forwarding too many or too few events.

One possibility is to set up a syslog relay server where you filter syslog which is forwarded to SIEM.

LPM