Forwarding threat logs to a syslog server requires three steps
Note: Informational threat logs also include URL, Data Filtering and WildFire logs.
Syslog server profile
Go to Device > Server Profiles > Syslog
Log forwarding profile
Go to Objects > Log forwarding
Create the syslog server profile for forwarding threat logs to the configured server.
Add a Log Forwarding Match List to the profile
add the syslog server and select a desired (if any) filterUse the filter builder to add more filtering parameters for logs to be forwarded
Once configured, the log forwarding should look like the following
Go to Policies > Security Rule
Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.
Go to Actions > Log forwarding and select the log forwarding profile from drop down list.
Commit the configuration
Quick and easy setup for adding Syslog.
One thing to remember is that if you do not also include the policy to use the profile, those will not be sent to the Log Server.
Why can we not create the Log forwarding profile using CLI using set commands? I can create everything else via CLI except the log forwarding profile. I have created it via GUI then exported set, but it is not there. I need to do this on multiple devices... Any suggestions???
It would be helpful if one could have more granular control of what threat log entries (e.g. type Virus) get forwarded to a syslog server. Also if the logs could get aggregated before sending it to a syslog server would be nice. Let's say an IP is trying to download a virus infected file 10 times in 30 Minutes and then fire a syslog event.
Please note that you have to have "Log at Session start or end" for the logs to be generated and sent to syslog server. Our Panorama was overloaded and I wanted to send logs only to syslog server for certain policies. As per support that is not possible.
I was wondering the same things and finally found the command. This was on a firewall running 5.0.11.
set shared log-settings profiles profile-name
Did you ever find a way to be more specific on the threat logs that are sent to the syslog server?
Is there a way to have an email sent that includes a warning that the ipsec tunnel is down?
yes, by creating a log forwarding profile with a filter: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/select...