Way to forward logs from individual rules instead of entire firewall?

Reply
Highlighted
L2 Linker

Way to forward logs from individual rules instead of entire firewall?

Is there a way to forward logs from individual rules by adding Expedition to their Log Forwarding Profile rather than setting up a Scheduled Log Export which forwards an entire firewall's logs?

 

Reason I ask is I need to use MI to analyze traffic for some specific rules but do not need to analyze traffic on an entire firewall. I have Scheduled Log Export setup for some smaller firewalls where the entire policy needs to be analyzed and this works well.  But, I also have some very large high traffic firewalls where I need to analyze only a few rules and scheduling the export of their entire traffic log would just be too much for our Expedition server.  

 

Any thoughts?  Thank you!

Highlighted
L4 Transporter

Hi @BOkay 

 

This question will be a PAN-OS question, I know there is an "scp export traffic log" command that you can specify the filter using "query", you might want to open a case with TAC and ask them if there is a way to export only traffic logs matching specific rule name.  

L5 Sessionator

Hi,

 

Yes, this is possible using Expedition as a Syslog server and using a Log Forwarding profile as you stated.

 

To make sure that Expedition is receiving the traffic logs using syslog messages, check this other thread where we mentioned how to set up these parts.

https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-syslog-server-change-logs-...

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!