Are there way that fw forward url & data filtering logs to ESM system by syslog??

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Are there way that fw forward url & data filtering logs to ESM system by syslog??

L4 Transporter

Hello,

I know there are not log type of url & data filtering on syslog server profile.

But my customer want to receive two logs to ESM system by syslog.

Are there ways?

Please let me know it if there are.

And I have a question.

Panorama is received this logs(url , data) from FW.

Why is it able to receive?

Thanks.

1 accepted solution

Accepted Solutions

L7 Applicator

URL logs are stored as "informational" threat logs on the PA device.

So, in your log forwarding profile, under Threat, enable "informational" severity. This should enable URL log forwarding to your syslog server.

Something similar to your question was discussed in : https://live.paloaltonetworks.com/message/13326#13326

View solution in original post

3 REPLIES 3

L7 Applicator

URL logs are stored as "informational" threat logs on the PA device.

So, in your log forwarding profile, under Threat, enable "informational" severity. This should enable URL log forwarding to your syslog server.

Something similar to your question was discussed in : https://live.paloaltonetworks.com/message/13326#13326

L4 Transporter

Like achitwadgi said: If you are receiving URL logs on panorama, then the firewall should have had Log forwarding configured. In GUI:Objects>Log Forwarding Profile, there should have been a profile created with Panorama check box checked for "informational" severity. This profile should then be applied to the security rules.

https://live.paloaltonetworks.com/docs/DOC-2173

L4 Transporter

Thank you for your answer, achitwadgi and dreputi.

FWs send url logs by threat information severity of syslog. (The value of threat subtype field is url)

Also FWs send file logs by threat low severity of syslog. (The value of threat subtype field is file)

Low severity include alert , allow , forward and deny actions on file log.

Wildfire-upload-skip action is information severity.

Are they right?

  • 1 accepted solution
  • 2792 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!