In this discussion of the week, Reaper discusses Critical System Log Forwarding while addressing a question posted in the general topic discussion forum on LIVEcommunity. Direct responses and a detailed answer includes screenshots of the Log Forwarding web interface. Got questions? Get answers on LIVEcommunity!
Even though this question was asked many (MANY) years ago, the discussion post still sees activity every once in a while with people looking for the same functionality, so I thought I'd pitch in with a little show and tell.
If you are familiar with log forwarding, you will know that you can find the log forwarding profiles in Objects > Log Forwarding.
In the Log Type, however, there is no option to forward system logs.
This is because the log forwarding profile is only used for logs generated as the result of a session flowing through (or getting blocked by) the firewall's dataplane.
To forward system (management plane) logs, there is a second area in the web interface related to log forwarding that is located in the Device > Log Settings tab that allows you to configure log forwarding for System logs, Configuration logs, User-ID logs, HIP Match logs, and even Correlation logs.
From here you can create individual log forwarding policies based on predefined severity filters, or custome your own filters using the filter builder.
You can use the "View Filtered Logs" tab to preview the outcome of the filter to ensure the desired information is there.
You can also create several profiles so different information is sent to different destinations.
Now you can create specific policies that forward all the information you need to the resources (SIEM, Panorama, Incident responce platform, and more) you need the information on.