syslog forwarding

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

syslog forwarding

L4 Transporter

I have  everything configured to send syslog information from the palo alto to one of our syslog server. My issue is that none of the security policy IP ranges allows me to send the syslog information for a specific IP address that is going out to the internet at least that I can find. Any ideas would be appreciated

14 REPLIES 14

L7 Applicator

I'm not sure I understand the question.

syslog traffic will source from your mgmt interface and ip address.

Is your syslog server out the internet side of your Palo Alto then?

You would need a policy that permits your mgmt address out to untrust and probably a nat policy to the interface address for the traffic as well.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

Hi Jprovine,

I am agree with Mr. Steven, please the check the service route for syslog and check the traffic logs. traffic is allowing or blocking by firewall.

service.PNG

Regards

Satish

what I am saying is that I had no problem configuring syslog to a Linux server I have. The issue is that I want to track a specific IP address, so I want to collect the traffic from and internal IP address to the internet and I want to know if there is a way to be that granular. I have created my syslog forwarder and now I am going through the security policies and adding it as an action to forward the logs to my syslog server but I am getting a lot more information than I want. Instead of a rand of 136.155.x.0-136.155.x.254 I only want the information coming from 136.155.0.64 to the internet to captured and forwarded to the syslog server.

L4 Transporter

Hi Jprovine,

As my understand, you need to create custom report as per your requirement but i am sure about it. it will work or not.

report1.PNG

Regards

Satish

No I am forwarding  from the PA  logs to an external log server

My 2 cents and i am pretty sure you would have done it, but to make sure:

please have a standalone syslog server, create a security policy that specifically works on the interested ip address and then forward it to syslog server.

with that you should only see the traffic generated by that particular ip.

Regards,

~Harry

Hi Harry

Yes I had been thinking that very thing

I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative?

Hi,

thanks, if you put that above the rest of the traffic, it should not affect anything else, palo would simply see it as another acl,

you may,get a warning when commiting that the rules are shadowing, but it's fair to live with,

if your bottom rules have a broader ip range, like a subnet , and the above rule has just an ip, it should not show that warning.too.

let me know how it goes.

Regards,

~Harry

Have you ever know of anyone to try to be this granular in the collection of logs?

Typically we gather all the syslog data to the syslog server then use that server's reporting feature to pull out the information on the specific ip address across all systems that are logging, rather than only log for one ip address in traffic.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

This is how my management has requested it be done so and how the our PA rep send it could be done so we are trying it

jprovine wrote:

Yes I had been thinking that very thing

I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative?

You will need to be careful about shadowing rules with this approach.  And you are correct that to only syslog for these particular addresses you will need to isolate them to their own rules.  then the log portion of the rule will contain your syslog server but none of your other rules will contain this log forwarding profile.

If you create the rule too broadly you can give this user or segment more access than they should have so be careful with the rule construction.

the safest approach would be to clone every rule this address may match and make the first of the two rules only have this ip address as the source or destination with the rest of the rule the same.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I configured it and got it working with no shadowing and without compromising security

Glad to hear you have it all worked out.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 4480 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!