I want to know when our PBF rule hits by sending an email when sees the syslog. I want to test this but don't want to actually fail traffic over. There are test commands on the cli but haven't been able to find how to create a false syslog. Please let me know how to create a false syslog.
Solved! Go to Solution.
In "Log Settings" --> "Config" you can set that to send to your syslog server. Make a configuration change which should send that to your syslog server.
If you want to test if your firewall is sending the logs to the syslog or not.
Step1 Configure syslog server Device>server profile configure the syslog
Step2. Log setting. select the syslog server profile for
system>information severity or for config
Step 3 Do a commit
Now if you navigate through the firewall tabs a system log of information severity will generated and firewall should send the logs to syslog. If you have selected the syslog for config as well then you will get the syslog for any config change.
Make sure the reachablilty to syslog is there. Check the service route if reachability is not there.
Hope this helps!
Thanks for the reply.
I'm not trying to make a "config" change show up to my syslog server. I want to get a system event regarding a PBF rule to sent the alert to my email.
So far, Palo Alto does not have capability to selectively filter system logs or alerts. Mostly such type of alerts can be implemented in some external NMS solutions.
This needs to be a feature request. I see there are feature requests already for both functionalities, i.e. ability to filter events and option to send alert on PBF monitoring events. Kindly check with the Palo Alto SE for the roadmap.
Look into 'Swatch', its a relic but works. Send events to syslog as outlined then on your Linux host enable Swatch to parse syslog data (one or more log files) and send an alert on any keyword/event ID, etc. I use this for PAN URL, system and threat logs along with Cisco ASA log events. There are a lot of Swatch options including thresholds to suppress repeat events.
I appreciate everyone's help. I believe where I was off was our threats send emails directly from the fw to to us. The fw will send complete syslogs but unable to parse out specific objects/strings. I'll have our solarwinds send over the specifics.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!