This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
CONFIG logs and syslog
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- CONFIG logs and syslog
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
CONFIG logs and syslog
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-24-2015 05:02 AM - edited 09-01-2015 01:48 AM
Hi there,
we're shipping our logs to a centralized syslog instance. That works great for all types of logs from the PA with the exceptions of the CONFIG logs.
The CONFIG logs are submitted at all, with the problem that the interesting parts "before-change-detail" and "after-change-detail" are not delivered.
Does anyone else ship CONFIG logs and if yes, do you see the same behaviour?
Thanks for advice.
Submitted Syslog Message
2015-02-02 10:32:59 User.Info 1.2.3.4 Feb 2 10:32:59 paloalto.domain.com 1,2015/02/02 10:32:59,123444,CONFIG,0,0,2015/02/02 10:32:59,1.2.33.4,,edit,admin-name,Web,Succeeded, vsys vsys1 rulebase security rules one-rule-to-rule-them-all,1544,0x0
Expected Syslog Message
2015-02-02 10:32:59 User.Info 1.2.3.4 Feb 2 10:32:59 paloalto.domain.com 1,2015/02/02 10:32:59,123444,CONFIG,0,0,2015/02/02 10:32:59,1.2.33.4,,edit,admin-name,Web,Succeeded, vsys vsys1 rulebase security rules one-rule-to-rule-them-all,before-change-detail,after-change-detail,1544,0x0
10 REPLIES 10
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-24-2015 05:18 AM
Hi Sven, can you please tell me what version of PAN-OS are you running? Syslog setup has changed in ver. 7.0. Also, setting forwarding of the config logs is done via tab Device > Log Settings > Config, where you can choose to forward Configs to the pre-defined syslog profile. Now, if you aren't seeing any logs forwarded, you should really be opening the support case 🙂 Can you sniff outgoing traffic from the firewall (take tcpdump from CLI) and see if config logs are also being forwarded? I am not sure about the format question you are asking for, would have to look it up, but forwarding of config logs is simple and should work if configured as explained above. regards Luciano
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-24-2015 05:58 AM - edited 08-24-2015 06:22 AM
Hi Luciano,
we're running PAN-OS 6.1.5. Logshipping is done via UDP; we've tried TCP with no difference in the result.
CONFIG logs are successful submitted, but a portion of the content is missing; see my sample snippets.
When you export Montior > Configuration to a csv file you have two fields called "before-change-detail" and "after-change-detail". Those two fields are missing in the syslog stream.
Update 1: Just did a tcpdump as suggested. Data is sent, but without those two fields in question.
Cheers,
Sven
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-27-2015 03:08 PM
Hi Sven,
sorry for quick reading. I would say that is expected behavior, per documentation found here:
https://live.paloaltonetworks.com/t5/Articles/PAN-OS-Syslog-Integration/ta-p/55323
CONFIG
FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, FUTURE_USE, Host, Virtual
System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags
full description on page 14
regards
Luciano
Related Content
- How to forward log to AWS S3 in Best Practice Assessment Discussions
- Syslog config on Different Port in Next-Generation Firewall Discussions
- Panorama System Logs in Panorama Discussions
- Firewall Config Templates(network) not showing up in Panorama in General Topics
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks