How to Forward Threat Logs to Syslog Server

by ppatel on ‎09-26-2012 12:48 AM - edited on ‎06-12-2018 12:47 AM by Community Manager (42,684 Views)

Forwarding threat logs to a syslog server requires three steps

  1. Create a syslog server profile
  2. Configure the log-forwarding profile to select the threat logs to be forwarded to syslog server
  3. Use the log forwarding profile in the security rules
  4. Commit the changes

 

Note: Informational threat logs also include URL, Data Filtering and WildFire logs.

 

Syslog server profile

Go to Device > Server Profiles > Syslog

  • Name: Name of the syslog server
  • Server : Server IP address where the logs will be forwarded to
  • Port: Default port 514
  • Facility: To be elected from the drop down according to the requirements

syslog server.png

 

Log forwarding profile

Go to Objects > Log forwarding

Create the syslog server profile for forwarding threat logs to the configured server.

log forwarding profile.pngAdd a Log Forwarding Match List to the profile

filter builder.pngadd the syslog server and select a desired (if any) filterfilter builder 2.pngUse the filter builder to add more filtering parameters for logs to be forwarded

 

Once configured, the log forwarding should look like the following

profile list.png

 

Security Rule

Go to Policies > Security Rule

Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.

Go to Actions > Log forwarding and select the log forwarding profile from drop down list.

logforwarding security.png

 

Commit the configuration

 

Comments
by stewart
on ‎12-25-2013 03:53 PM

Quick and easy setup for adding Syslog.

by craymond
on ‎01-13-2014 12:25 PM

One thing to remember is that if you do not also include the policy to use the profile, those will not be sent to the Log Server.

by rob_moore
on ‎02-04-2014 01:18 PM

Why can we not create the Log forwarding profile using CLI using set commands?  I can create everything else via CLI except the log forwarding profile.  I have created it via GUI then exported set, but it is not there.  I need to do this on multiple devices...  Any suggestions???

Thanks

Rob

by gafrol
on ‎02-25-2014 08:14 AM

It would be helpful if one could have more granular control of what threat log entries (e.g. type Virus) get forwarded to a syslog server. Also if the logs could get aggregated before sending it to a syslog server would be nice. Let's say an IP is trying to download a virus infected file 10 times in 30 Minutes and then fire a syslog event.

by Sly_Cooper
on ‎02-27-2014 08:24 AM

Please note that you have to have "Log at Session start or end" for the logs to be generated and sent to syslog server. Our Panorama was overloaded and I wanted to send logs only to syslog server for certain policies. As per support that is not possible.

by z_rmiller
on ‎04-18-2014 08:25 AM

I was wondering the same things and finally found the command. This was on a firewall running 5.0.11.

set shared log-settings profiles profile-name

by jprovine
on ‎07-20-2015 08:35 AM

Did you ever find a way to be more specific on the threat logs that are sent to the syslog server?

by ABlumhard
on ‎06-11-2018 06:19 AM

Is there a way to have an email sent that includes a warning that the ipsec tunnel is down?

by Community Manager
on ‎06-12-2018 12:33 AM
Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors