Our PAN is in an L3 config, and our syslog server is in a virtual-wire zone.
Basically, if I look at monitor/traffic or monitor/session browser, I'm simply swamped with syslog messages as everything is being syslogged once as the PAN management NIC goes from trust (LAN) to untrust, then again as it goes through the vwire-untrust to the vwire-dmz.
Is there any way to reduce this at all please?
Thanks in advance.
Thanks James, that's what I've done in the interim, I didn't know if there was a "smarter" way of tackling it was all?
We don't really need real-time logging, we just want some off box logging, and my limited experience of the FTP export found it a bit hit and miss as you have to look in several places to marry up all the data.
I have to say as an aside, this thing rocks, I setup a vwire today and it's saved me having to totally re-IP (is that a word?!) our websites and services on our DMZ hosts to be able to do application recognition and decryption and IPS.
This would be the only option - as we must log (as a security device) everything we see and where we see it. Unless the administrator configures the PA Appliance not to.
You are right that FTP export does not correllate the data for you - the two items to look at when cross referencing logs is the time and session ID. Session ID's do wrap, but within a time frame they are unique - Session ID is a "tag" PANOS puts on the logs for this purpose (and other purposes).
Good to hear the DMZ insertion worked well for - VWire is very handy. Also nice you can mix and match deployment modes in one box.
Aaah, OK - now I get you.
Try using the service route configuration under the Device tab - main setup screen. You'll need to scroll down to see it. You can then change the source of the syslog traffic to be an alternative L3 Interface - so you could plug another L3 interface into the DMZ and use it just for logging.
Ah I never spotted that! Thank you.
Tbh right now it's not much better simply because even if I change the L3 interface it would have to cross zones to get to the syslog box on the vwire.
As it stands with the "no log" policy it looks like the logs are clear and the syslog stuff only shows up in the session browser, which of course it has to because it's active traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!