https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/252125#M71684 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/17058">@fmurray</a>&nbsp;, FYI.</P><P>&nbsp;</P><P>I have just about everything going to syslog, including Global Protect.&nbsp; this is our corp policy and to do with legal stuff.</P><P>&nbsp;</P><P>we have logrotate&nbsp; that zips files up and deletes them after a required ammount of time.</P><P>the information is quite overwhelming but with various scripts you can pull out the information you require.</P><P>&nbsp;</P><P>very rarely use it for traffic reports but every month reports are run for GlobalProtect activity.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 04 Mar 2019 12:30:40 GMT Mick_Ball 2019-03-04T12:30:40Z https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/251965#M71644 <P>Currently we forward nearly all of the firewall's logs to our syslog server, but the amount of irrelevant&nbsp;minutiae is over-whelming the syslog server.</P><P>&nbsp;</P><P>Is there a best-practice for what information should be forwarded to syslog?&nbsp; I don't want to miss anything important but I ready want to eliminate the un-important.</P><P>&nbsp;</P><P>Thanks</P> Fri, 01 Mar 2019 19:49:39 GMT https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/251965#M71644 fmurray 2019-03-01T19:49:39Z https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/251975#M71645 <P>Hello,</P><P>Honestly that is a 'it depends' answer as every one has a different set of requirements and thing sthey alert on. We also send everything to our SIEM but so that it can be correlated with other logs and events. While some traffic may look beging, it could actually be malicious.</P><P>&nbsp;</P><P>I know its not a great answer, but we scalled out SIEM to handel everything at only 60% capacity.</P><P>&nbsp;</P><P>Regards,</P> Fri, 01 Mar 2019 20:29:44 GMT https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/251975#M71645 OtakarKlier 2019-03-01T20:29:44Z https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/252037#M71662 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/17058">@fmurray</a>,</P><P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; mentioned this isn't something you could really make a best-practice on, as nobody has the same requirements. Personally, I like having all of the logs we can get into the SIEM and find it cheaper to just upgrade the device to function under the required load.</P><P>However, if your SIEM isn't able to handle that load you'll need to actually go through and determine the most important logs for your organization&nbsp;that you want to forward to your SIEM. That could mean that you only forward traffic for external access rules, or maybe access to your server infrastructure. That all depends on what your organizational needs are. &nbsp;</P> Sat, 02 Mar 2019 20:53:38 GMT https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/252037#M71662 BPry 2019-03-02T20:53:38Z https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/252125#M71684 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/17058">@fmurray</a>&nbsp;, FYI.</P><P>&nbsp;</P><P>I have just about everything going to syslog, including Global Protect.&nbsp; this is our corp policy and to do with legal stuff.</P><P>&nbsp;</P><P>we have logrotate&nbsp; that zips files up and deletes them after a required ammount of time.</P><P>the information is quite overwhelming but with various scripts you can pull out the information you require.</P><P>&nbsp;</P><P>very rarely use it for traffic reports but every month reports are run for GlobalProtect activity.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 04 Mar 2019 12:30:40 GMT https://live.paloaltonetworks.com/t5/general-topics/fowarding-to-syslog-best-practice/m-p/252125#M71684 Mick_Ball 2019-03-04T12:30:40Z