topic Re: Syslog Issue. in General Topics

Syslog Issue.

fmd — Thu, 22 Sep 2011 15:19:56 GMT

Hi - I may have not understood how this is achieved - so apologies before I start!

I'm trying to forward logs for traffic and threat to syslog We have 2x 4050s and Panorama - all policy rules are added via panorama.

I've created a "log forwarding profile" in Panorama that says - forward all traffic and threats to panorama. This is then added to each rule on Panorma. Both the log forwarding profile and the addition to the individual rules are pushed to both the firewalls fine and I get logs on the Panorama.

However, I now want to set the traffic logs to forward to syslog as well. I go into Panorama and under the Panorama tab--->Server profiles-----> syslog. I've created a syslog entry for my server. Still on Panorama I now go back to the "log forwardinng profile" I've already created and used and try and choose the syslog server I just created - it doesn't show on the drop down list.

NB - if I go onto the FW itself I can create a syslog server and then a log forwarding profile and choose the syslog server fine. I guess I could apply that to local rules for a full test - but I don't have any local rules only rule generated from Panorama (and of course the rules generated from Panorama can't be changed locally).

Am I missing something?

Thanks

Re: Syslog Issue.

jleung — Thu, 22 Sep 2011 16:13:59 GMT

Hi,

If you want to forward your log to syslog servers as well you need to forward it from the PA box. Panorama cannot forward the log to syslog server.

Jones

Re: Syslog Issue.

fmd — Fri, 23 Sep 2011 11:46:28 GMT

Thanks for your reply. I can forward system and config logs fine from the PA boxes (both syslog and forward to panorama). What I can't do is syslog traffic rules (ie rule logging). I can't do this from the PA box itself and the rules were created on Panorama (so are not editable on the PA box). I can't see a way of doinng it - but it must be possible - rules created on Panorama - having them log to syslog. Please help!!

Re: Syslog Issue.

mschuricht — Fri, 23 Sep 2011 15:43:20 GMT

The log forwarding and syslog profiles will need to be created in Panorama and then referenced in the Panorama pre/post-rule. This way all elements of the forwarding mechanism are managed inside Panorama.

In 4.0 you are able to reference the Panorama pushed log forwarding profile in a local device rule if needed. This way any change to the Panorama forwarding profile affects both shared pre/post-rules as well as the device rule.

Re: Syslog Issue.

fmd — Fri, 23 Sep 2011 16:14:48 GMT

Hi - thanks for your response. I understand what you're saying and it's what I have done. I've created the "log forwarder" and "syslog server" profiles in Panorama. However, the syslog server I've created in panorama doesn't display in the drop down list in the log forwarder I've created in Panorama. I can only use the syslog server I've created on Panorama for use in the "config" and "system" log settings - NOT the "log forwarder" - it just doesn't show up. I assume it's a bug?

Re: Syslog Issue.

MashRotor — Fri, 23 Sep 2011 18:57:41 GMT

It is a bug.

Once you've got the profile for the syslog server entered, do this from the CLI:

set panorama log-settings system critical send-syslog using-syslog-setting SYSLOG-PROFILE-NAME-GOES-HERE
set panorama log-settings system high send-syslog using-syslog-setting SYSLOG-PROFILE-NAME-GOES-HERE
set panorama log-settings system medium send-syslog using-syslog-setting SYSLOG-PROFILE-NAME-GOES-HERE
set panorama log-settings system low send-syslog using-syslog-setting SYSLOG-PROFILE-NAME-GOES-HERE
set panorama log-settings system informational send-syslog using-syslog-setting SYSLOG-PROFILE-NAME-GOES-HERE

Re: Syslog Issue.

mschuricht — Fri, 23 Sep 2011 19:57:28 GMT

I was not able to reproduce the problem.

What Panorama version are you running?

Re: Syslog Issue.

MashRotor — Fri, 23 Sep 2011 20:08:00 GMT

I think you need to reply to farrel.doherty.

I had the same problem with 4.0.3 which was confirmed by an onsite Palo Alto tech at the time.

The solution was to plug in the syslog target via the CLI.

Re: Syslog Issue.

fmd — Wed, 28 Sep 2011 10:17:34 GMT

Thanks for all your replies! I'll try the CLI option today. We're currently running version 4.0.5 on both Panorama and the 4050s.

Re: Syslog Issue.

fmd — Wed, 28 Sep 2011 15:30:52 GMT

Hi mstingley! Just realised that the CLI options you give aren't quite what I'm looking for. In 4.0.5 I can achieve what you needed to do in the CLI at 4.0.3. My issue is when editing the "Log Forwarding Profile" I can't reference the "syslog server profile" I've created. I can't see a way of doing this via the CLI either!

Anymore advice anyone?

Re: Syslog Issue.

fmd — Wed, 28 Sep 2011 15:53:23 GMT

Thanks for all your replies. I've now worked out what the issue is. When creating the "syslog server profile" in Panorama - I had the location set as Panorama (not Shared). I assumed this would allow me to use the the profile on the policy rules as they were created in Panorama. it doesn't - I've re-created the syslog server and set it to Shared and I now see it referenced in the drop down list in the Log Forward Profile.

Re: Syslog Issue.

mschuricht — Wed, 28 Sep 2011 16:12:51 GMT

If you create an object with "Location = Panorama" it means the object should not be pushed to any Managed Device and to keep the object for use on Panorama only. Eg. Auth Profile for Panorama auth you do not want available for viewing or using on a Device.