How to Forward Custom URL Logs to a Syslog Server

by sdurga on ‎10-12-2012 12:51 PM - edited on ‎09-09-2015 05:58 PM by (10,900 Views)


In order to forward URL logs, it is necessary to forward Threat logs of Severity 'informational' to the Syslog server. Doing so will forward other informational threat logs (Data Filtering) in addition to URL logs.


Please refer to the following document for more information on how to configure URL log forwarding to Syslog: How to Forward Threat Logs to Syslog Server


By default, when threat logs are forwarded to Syslog server, the logs will have all several fields including source IP, destination IP and many others including the URL.


To create a custom syslog format to include the URLs in the logs, include the "$misc" field, as shown below to get the URLs in the syslogs.




In the above example, $category==Cateogry of the URL, $misc== URL,$src==Source IP are selected and the syslog looks like this:



URL Filtering and Data Filtering use the 'Informational' severity for threats.


Configure forwarding settings here. This setting allows forwarding not only to syslog, but also covers forwarding for Panorama, SNMP Trap, or Email.


The following example configures forwarding of the email alerts:


Screen Shot 2014-06-16 at 4.18.52 PM copy.jpg


owner: sdurga

by tom.greaser
on ‎01-02-2018 11:18 AM

Helpful. BAD on pal for using the $misc field.. If it was not for this post a ticket would have had to been created..


by eDub
‎03-24-2018 05:21 AM - edited ‎03-24-2018 05:24 AM



I've been racking my brains on this one for a while. 


Helpful, but sure wasted a lot of time.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community