Log System setting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Log System setting

L1 Bithead

I want to set up messages to be sent to email Log Settings - Config 
I want every user who connects to the admin to receive an email no matter where the WAB or CLI or IP source comes from.

@filter builder

(severity eq informational) and (description contains 'logged in via WEB') or (description contains 'logged in via CLI')

 

This is what I configured Filter but only CLI works
Am I missing something?

 

I would appreciate your help.3

Shalev_0-1689570642938.png

 

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello @Shalev

 

thanks for posting.

 

To me it looks like there is an issue with upper/lower case. Could you change it to: "logged in via Web"?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L4 Transporter

Hello,

Change the filter to:

(severity eq informational) and (description contains 'logged in via Web') or (description contains 'logged in via CLI')

 

This should help.

 

Anoopkumar
Network Security Engineer

This is not work

Cyber Elite
Cyber Elite

Hello @Shalev

 

could you post the screen shot with current filter you put in?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Screenshot 2023-07-18 130446.png

L4 Transporter

Hello,

I just checked this query from one of my firewalls and the results are as expected. You will need to login to the GUI and CLI to regenerate the alerts.

 

 

Anoopkumar
Network Security Engineer

I exited and entered FW and I only have a notification about CLI and not about Wab

L1 Bithead

I succeeded
For general knowledge this is the command: (severity eq informational) and ( description contains 'logged in via Web from') or (description contains 'logged in via CLI')

Cyber Elite
Cyber Elite

@Shalev,

A couple notes:

  • The filter you're using really should be grouped to the following "(severity eq informational) and ((description contains 'logged in via Web from') or (description contains 'logged in via CLI')). What you have is functional, but the search is logging for an informational event with 'logged in via Web from' in the description or any event with 'logged in via CLI' as presently written.
  • You don't need informational in this at all. You've targeted the description enough that you'll get your events regardless of that being included or not. It's just kind of extra at this point, it's not harming anything but it also isn't needed. 
  • 1406 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!