01-20-2020 01:51 AM
Hi Gang,
I have a server profile configured but completely unsure, even after some searching around.
I'd like to generate email alerts for:
I know the answer lies somewhere in custom logging, but I have no idea where to start.
We are running Panorama and Firewalls currently on 9.05.
In time, I'd love to integrate it into Webex Teams for messaging alerts, as we have an Alert Bot. This is possible right!?
Thank you kindly for taking the time and energy to read and respond!
Daniel
01-21-2020 02:01 PM
@mr_almeida wrote:I'd like to generate email alerts for:
- Interface - in that their status changes e.g. data-link down, hard down, flapping
- Are the dedicated HA ports possible to be alerted too
- Firewall goes into HA where the passive firewall takes over
So for an HA state-change you would want to do the following; note that you could add (severity geq high) to remove any events where someone actually suspends the firewall manually.
<filter>(eventid eq state-change)</filter>
# Or to filter out suspend actions #
<filter>(eventid eq state-change) and (severity geq high)</filter>
For the link changes you would actually want to look for the link-change eventid like so
<filter>(eventid eq link-change)</filter>
01-21-2020 01:18 PM
Hello,
The configuration is on the Device tab -> Log Settings. There you can build a filter to suite your needs. I personally just have it send me all critical alerts (HA is included in these).
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln1CAC
Regards,
01-21-2020 02:01 PM
@mr_almeida wrote:I'd like to generate email alerts for:
- Interface - in that their status changes e.g. data-link down, hard down, flapping
- Are the dedicated HA ports possible to be alerted too
- Firewall goes into HA where the passive firewall takes over
So for an HA state-change you would want to do the following; note that you could add (severity geq high) to remove any events where someone actually suspends the firewall manually.
<filter>(eventid eq state-change)</filter>
# Or to filter out suspend actions #
<filter>(eventid eq state-change) and (severity geq high)</filter>
For the link changes you would actually want to look for the link-change eventid like so
<filter>(eventid eq link-change)</filter>01-22-2020 01:21 AM - edited 01-22-2020 01:22 AM
I never went deep enough into the menu to see the "view filtered logs". So the video you referred was immensely useful in finally getting the overview of log settings! Looking forwarding to tweaking them to get exactly what I want!!!
Thank you too for your time and response!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
