Log Forwarding

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Log Forwarding

L0 Member

Hello everyone,

 

Before the question, the context.

I have a panorama wich managed a lot of devices groups. we have a lot of rules for them. Which all these rules uses the default profile for log forwarding.
I have a new syslog server and i need to forward the logs from all the devices and not from panorama. I created the new syslog server and i managed to forward the logs from the devices directly but not ffrom the hierarchy on top (H1/H2 and or I1/I2 (i have some rules in H1/H2)) of those equipment. example :

-> Common

     -->I1

          -->H1

            --> Equipment 1
            --> Equipment 2

     -->I2

          -->H2

            --> Equipment 1
            --> Equipment 2


Now my issue (or misunderstanding) : I would like to modify the default profile log forwarding in the common object (in the hierarchy of the device groupe, common is at the top of the list). However, when i try to add my new syslog server in the default log fowarding, my new syslog doesn't appear and it's not possible to fill it (when i fill it with overriding, it disappear after i click). It is not possible to link my new syslog server to the default log forwarding in the common object. In that case, the rules in H1/H2 or I1/I2 are not forward to my new syslog.

Can you give me the right way to be able to modify this default log forwarding setting please ?

Regards,

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Thank you for the post @Maryan

 

I came across the same issue in the past with the same scenario you described.

 

The issue I have seen is, the syslog server configuration is coming from Template while log forwarding is coming from Device Group. By doing some testing, I have realized that syslog server will appear in the drop down list in log forwarding profile only if that Device Group has some firewall assigned that is linked to Template with syslog server configuration. For all Device Groups in top hierarchy that do not have any firewall assigned to, it did not show the syslog server in log forwarding profile.

 

I came up with 2 possible workarounds:

- Move one of the firewall, this could be some dummy firewall to Device Group in top of your hierarchy. If this firewall is linked to Template Stack with syslog server, you should be able to see it in dropdown list in all child Device Groups. This is not a nice way to position a firewall though.

- Alternative way would be to go to each child Device Group for each site (Equipment 1 / Equipment 2 in your case) and click on override log forwarding profile, then select syslog server from drop down list. This will be however time consuming and defeating a purpose of hierarchy of Device Group.

 

I tested both scenarios and both worked for me, however I am aware that both are not real solutions but rather workarounds. I remember, I talked to my Palo Alto partner at that time, but I could not get any solution for this, therefore I would appreciate myself if anybody has different experience or solution.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hello @PavelK,
Thanks a lot for your answer!

 

Just a question, before you did the both tests, can you tell me if the rules which (in my example H1/H2) were forward to your syslog when you overrided the template for Equipment1/2 ?

In fact i have a policy in H1/H2, and it seems that they are not forwarded to my new syslog (because the syslog server is not link to this device-group (H1/H2).

 

Regards,

 

Maryan

Cyber Elite
Cyber Elite

Thank you for reply @Maryan

I am sorry, I can't completely follow what you described. I have a feeling that the reason why you can't see the syslog server in Device Group is the fact that you will be able to override Log Forwarding profile to add Syslog server only in Device Group where Firewall is located with associated Template Stack that includes Syslog server. This is where Syslog server setting is coming from. Based on my experience, there is an order of operation. For example when I onboard a new Firewall I first push Template Stack + Device Group. Once this is applied to Firewall, I go to Device Group one more time where new Firewall is located and then override Log Forwarding Profile to add Syslog server, commit and push again to Firewall. This scenario works for me and once this is applied, I can see logs being sent from Firewall to syslog server.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 2079 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!