Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA syslogs and change logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA syslogs and change logs

L4 Transporter

Is it possible to send the syslogs for only the system changes from the pa to solarwinds?  How to you configure the PA to send the change logs to solarwinds?

21 REPLIES 21

L6 Presenter

Hi...Yes, you can forward config logs from the PA to any syslog server including SolarWinds. 

I only want to send system and config changes to the solarwinds server is that done through snmp traps only and how is that configured?

In "Device" --> "Log Settings"  --> "System" and "Config" just use a configured Syslog profile to send have the desired logs sent to the configured syslog profile

 

--Edit--

The same can be said for SNMP.

So what works better system and config sent by syslog or by snmp traps?

I don't think there's a "better," more to do with which you can use...I played with the idea of using SNMP for "important" stuff and syslog for general logs, but in the end I just went with syslog.

Well the thing is I don't think they can handle or want to deal with threat  logs on solarwinds

I don't see where you can choose to only send config and system logs using syslog server

That piece is under the log settings. Device-> Log Settings ->System.

Yes I found that so it that better than using the syslogs? Can you narrow down the syslogs and only send config and system logs no threat logs.  I already have snmp traps configured and added to the location you are recommending and its not giving us what we need on solarwinds

Hello,

Yes this is possible as the threat logs are set in a different locations. So you can have only Config and System logs sent to your SIEM or logg collector and the threat and traffic stay on the PAN or Panorama.

 

Regards,

How do you do it?

Hello,

I'm going to guess at what you are asking:

 

You will first need to setup a syslog profile Device -> Server Profile -> Syslog

 

System logs are configured under Device ->Log Settings -> System

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-System-Logs-to-Syslog-Ser...

Config logs are configured under Device ->Log Settings -> Config

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Config-Logs-to-Syslog-Ser...

 

Thats is if that is all you wish to send outside of the PAN.

 

To export Threat and Traffic logs:

 

Setup a log forwarder: Objects -> Log Forwarding

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Threat-Logs-to-Syslog-Ser...

 

To have policies that are triggered to be sent exteranlly:

 

Within each policy: Policy -> Security -> 'Edit the Policy' -> Actions -> Log forwarding 'Select the Log forwarder you already setup'

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Traffic-Logs-to-Syslog-Se...

 

Hope this helps.

Yes but I don't want to send the threat logs to the solarwinds server. I don't see where this is being excluded

It doesnt have to be excluded. If you dont setup the traffic logs to forward, they will not send to the SIEM.

  • 6281 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!