topic Re: Syslog - LFP options in General Topics

Syslog - LFP options

Jimmy20 — Mon, 14 Sep 2020 12:16:18 GMT

Hi Guys

We have PA with version 9.0.4 and have to configure Syslog server log forwarding on the same. Created (syslog) server profile..Now creating "Log Forwarding Profile" there are options "forward method" and "built-in-action" available there. which is not giving so much clarity what need to be configure there, Referred few articles available on Internet but no-one giving much clarity for the configuration side.

Requesting suggestion for further configuration.

Re: Syslog - LFP options

S.Cantwell — Mon, 14 Sep 2020 12:54:59 GMT

Good Day

You will be using the forward portion of the Log Forwarding Profile.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding.html

Essentially

Create the profile.

Add in what notifications you want (Threat logs... ok... ALL logs?... log geq medium? ok.)

Where do you want these log messages to be fwd to? SNMP, email, syslog, Panorama. ok... good

Next, modify your security policy and apply the log forward profile to whatever rules you want to be, well, log forwarded to.

Let me know how else I can assist.

Re: Syslog - LFP options

Jimmy20 — Mon, 14 Sep 2020 13:22:52 GMT

Hi Steve,

What if we configure, as found some more ways probably (except Log Forwarding Profile)

1- Configure Syslog Server Profile

2- Device - Log Setting - System -> call Syslog Server created in profile -> Filter logs as per levels Critial , High, informational, Low, Medium.

Once configure, commit.

Is'nt also the correct way ..?

Re: Syslog - LFP options

S.Cantwell — Mon, 14 Sep 2020 13:44:19 GMT

Well, that will work only if there are SYSTEM logs that match the various levels.

But if a CRITICAL malware or vulnerability came through the FW, this would NOT show up as a SYSTEM log message, and would not be forwarded.

If the concern is about SYSTEM logs.. that is fine.. but you are missing out on 99% of the threat notifications on the FW.

Is this what you are intending?

Re: Syslog - LFP options

Jimmy20 — Mon, 14 Sep 2020 13:50:06 GMT

Hi Steve,

Thanks for Quick and instant responses.

Well, We need to check with client what they are actually intending. if they are OK with system logs then we are almost done as you rightly said with "Log setting" options.

But if they want Threat and other related logs to be available on Syslog then have to go for "LFP" option.

One more point at this moment : Where do we get option to set log levels (Critial , High, informational, Low, Medium) under Log Forwarding profile option. I can't find these anywhere there...

Re: Syslog - LFP options

S.Cantwell — Mon, 14 Sep 2020 14:27:09 GMT

here is a quick screen capture

I hit the dropdown arrow, and the choices are there.