https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/114156#M45289 <P>Is it possible to send flood event to syslog server now, 4 years later?:)</P><P>&nbsp;</P> Mon, 19 Sep 2016 12:25:01 GMT santonic 2016-09-19T12:25:01Z https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/28507#M20831 <HTML><HEAD></HEAD><BODY><P>Problem description :</P><P>Flood log triggered by DoS Protection could not be sent to syslog server.</P><P></P><P>paloalto deploy: v-wire mode</P><P>PANOS : v4.1.8</P><P></P><P>Settings in paloalto :</P><P>1. Device -&gt; Server Profiles -&gt; Syslog -&gt; Add a syslog server with port 514 and LOG_USER facility.</P><P>2. Objects -&gt; Log Forwarding -&gt; Add a syslog forwarding profile, all severity(Informational, Low, Medium, High and Critical) under threat settings are set syslog profile.</P><P>3. Objects -&gt; DoS Protection -&gt; Add a flood , type 'classified', enable SYN Flood, UDP Flood, ICMP Flood, and Other IP Flood, those alarm rate and active rate is 10 packets/sec.</P><P>4. From trust to untrust zone and untrust to trust zone security policy, apply default antivirus profile and log forward to syslog server.</P><P>5. Add a DoS Protection policy, from trust to untrust zone, set protect action, and Classified enabled, choose flood profile set in step3, Address choose 'source-ip-only'.</P><P>6 commit all settings.</P><P></P><P>Testing :</P><P>1. A client in trust zone, access eicar virus test file, the eicar test file deny log could be viewed in paloalto Monitor -&gt; Logs -&gt; Threat and in syslog server.</P><P>2. A client in trust zone, use 'hping' tool to generate tcp flood, the tcp flood log could be viewed in paloalto&nbsp; Monitor -&gt; Logs -&gt; Threat, but syslog is nothing.</P><P></P><P>Could flood log triggered by DoS Protection not be sent to syslog server?</P><P></P><P>The attachment is pa-500 configuration and monitor screenshot.</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 26 Nov 2012 10:22:48 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/28507#M20831 marcowang 2012-11-26T10:22:48Z https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/114156#M45289 <P>Is it possible to send flood event to syslog server now, 4 years later?:)</P><P>&nbsp;</P> Mon, 19 Sep 2016 12:25:01 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/114156#M45289 santonic 2016-09-19T12:25:01Z https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/114500#M45329 <P>So nobody managed to send 'flood' event to syslog?</P> Tue, 20 Sep 2016 09:23:01 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/114500#M45329 santonic 2016-09-20T09:23:01Z https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/364741#M88497 <P>set your zone logging profile to enable logging for Zone Protection events to syslog (or other log forwarding methods)</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHICA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHICA0</A></P> Sun, 22 Nov 2020 00:32:11 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-log-triggered-by-dos-protection-could-not-be-sent-to/m-p/364741#M88497 epartington 2020-11-22T00:32:11Z