How custom forward logs to syslog server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How custom forward logs to syslog server

L0 Member

We are sending all logs from Palo to SIEM. How can we eliminate those of low or no value to us (exp. Allow_TCP_End) to be sent to syslog server? The server fills up quickly and there's a large amount of logs that provide no insight during analysis; we would like to NOT forward such logs. In other words, how pick and choose which event logs to send to syslog server? Thank you. 

2 REPLIES 2

L5 Sessionator

Under the log-forwarding profile you can change the severity.

L2 Linker

If you do not wish to log allowed sessions you can remove log forwarding from the rules that allow traffic.

If you only wish to log detected viruses in allowed traffic for example you can create a log forwarding profile with no log forwarding under the traffic settings and enabled log forwarding under the Threat settings.

 

Unfortunately we are quite limited when it comes to forwarding of system logs. Under Device > Log settings you can only select the severity of the system logs that will be forwarded. Unfortunately you cannot change severity of a certain event (for example failed admin logon). The result of this is that you cannot tune which events you wish to forward and which you don't and you will always end up forwarding too many or too few events.

 

One possibility is to set up a syslog relay server where you filter syslog which is forwarded to SIEM.

 

LPM

  • 2452 Views
  • 2 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!