I've been testing the logging of change events to a syslog server from Panorama. Syslog events indicate a change made by a person and the general section of the change without giving any specific details of what was changed. Looking in Panorama in the Monitor tab I can see the change event and some details that are sent to syslog, but the details of the configuration change as displayed in the Before Change and After Change fields all missing. Is there a way to include those fields as part of a syslog event when a configuration item is changed?
Here is the syslog event as recorded by Wireshark. The time, command, username, IP of system making the change, Result, Configuration Path and Sequence No. all show up in the syslog entry. However the details of the change are not.
The information I want sent in the syslog is highlighted below.
Does anyone know how to include the Before/After Change details as part of the syslog event? Remember this is on Panorama.
Thanks!
Sc
Have you added the "After-change-deetail" and the "before-change-detail" under the syslog server profilesettings as shown below ?
Panorama--->server profiles--->Syslog-->Syslog-server-profile--->custom log format--->config
BR,
Karthik
Hello,
Looking at the below image, Yes for the config logs we do have the before and after change fields to be sent out through the Syslog through the panorama.
I took a lab device to share this image, it was on 5.1.1 and I did not test with 5.0.X images. What version are you having ?
Also if in the wireshark if the PAN is not generating the fields for Before and After change then pls open a case with us and upload the wiresharks and we will be happy to get this going for you.
I did this and still, I do not see the before the change and after the change in my Splunk logs. Also, we are on 8.1.15
