Sending Before Change and After Change details in Panorama to Syslog

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sending Before Change and After Change details in Panorama to Syslog

L1 Bithead

I've been testing the logging of change events to a syslog server from Panorama.  Syslog events indicate a change made by a person and the general section of the change without giving any specific details of what was changed.  Looking in Panorama in the Monitor tab I can see the change event and some details that are sent to syslog, but the details of the configuration change as displayed in the Before Change and After Change fields all missing.  Is there a way to include those fields as part of a syslog event when a configuration item is changed?

Here is the syslog event as recorded by Wireshark.  The time, command, username, IP of system making the change, Result, Configuration Path and Sequence No. all show up in the syslog entry.  However the details of the change are not.

Capture2.JPG

The information I want sent in the syslog is highlighted below.

Capture1.JPG

Does anyone know how to include the Before/After Change details as part of the syslog event?  Remember this is on Panorama.

Thanks!

Sc

4 REPLIES 4

L5 Sessionator

Have you added the "After-change-deetail" and the "before-change-detail" under the syslog server profilesettings as shown below ?

Panorama--->server profiles--->Syslog-->Syslog-server-profile--->custom log format--->config

syslog setting.JPG

BR,

Karthik

L4 Transporter

Hello,

Looking at the below image, Yes for the config logs we do have the before and after change fields to be sent out through the Syslog through the panorama.

I took a lab device to share this image, it was on 5.1.1 and I did not test with 5.0.X images. What version are you having ?

Also if in the wireshark if the PAN is not generating the fields for Before and After change then pls open a case with us and upload the wiresharks and we will be happy to get this going for you.

before-after.PNG

I did this and still, I do not see the before the change and after the change in my Splunk logs. Also, we are on 8.1.15

 

Abdulmunem_0-1600194746448.png

 

@Abdulmunem 

 

I am running 8.1.9 and i have my syslog then custom log format is set to default.

Seems default includes all the fields  and i can see before and after the change in my SIEM logs.

 

Regards

 

 

MP

Help the community: Like helpful comments and mark solutions.
  • 5120 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!