How to Forward Threat Logs to Syslog Server

by ppatel on ‎09-26-2012 12:48 AM (27,807 Views)

Forwarding threat logs to a syslog server requires three steps

  1. Create a syslog server profile
  2. Configure the log-forwarding profile to select the threat logs to be forwarded to syslog server
  3. Use the log forwarding profile in the security rules
  4. Commit the changes


Note: Informational threat logs also include URL, Data Filtering and WildFire logs.


Syslog server profile

Go to Device > Server Profiles > Syslog

  • Name: Name of the syslog server
  • Server : Server IP address where the logs will be forwarded to
  • Port: Default port 514
  • Facility: To be elected from the drop down according to the requirements

syslog-server-profile.PNG

Log forwarding profile

Go to Objects > Log forwarding

Select the syslog server profile for forwarding threat logs to the configured server.

threat-log-fwd.png

Once configured, the log forwarding should look like the following

log-fwd1-threat.PNG


Security Rule

Go to Policies > Security Rule

Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.

Go to Actions > Log forwarding and select the log forwarding profile from drop down list.

threat-profile-setting.png


Commit the configuration


owner: ppatel

Comments
by stewart
on ‎12-25-2013 03:53 PM

Quick and easy setup for adding Syslog.

by craymond
on ‎01-13-2014 12:25 PM

One thing to remember is that if you do not also include the policy to use the profile, those will not be sent to the Log Server.

by rob_moore
on ‎02-04-2014 01:18 PM

Why can we not create the Log forwarding profile using CLI using set commands?  I can create everything else via CLI except the log forwarding profile.  I have created it via GUI then exported set, but it is not there.  I need to do this on multiple devices...  Any suggestions???

Thanks

Rob

by gafrol
on ‎02-25-2014 08:14 AM

It would be helpful if one could have more granular control of what threat log entries (e.g. type Virus) get forwarded to a syslog server. Also if the logs could get aggregated before sending it to a syslog server would be nice. Let's say an IP is trying to download a virus infected file 10 times in 30 Minutes and then fire a syslog event.

by Sly_Cooper
on ‎02-27-2014 08:24 AM

Please note that you have to have "Log at Session start or end" for the logs to be generated and sent to syslog server. Our Panorama was overloaded and I wanted to send logs only to syslog server for certain policies. As per support that is not possible.

by z_rmiller
on ‎04-18-2014 08:25 AM

I was wondering the same things and finally found the command. This was on a firewall running 5.0.11.

set shared log-settings profiles profile-name

by jprovine
on ‎07-20-2015 08:35 AM

Did you ever find a way to be more specific on the threat logs that are sent to the syslog server?

Learn more
Ask Questions Get Answers Join the Live Community
Contributors