syslog forwarding
Showing results for 
Search instead for 
Did you mean: 

syslog forwarding

L4 Transporter

I have  everything configured to send syslog information from the palo alto to one of our syslog server. My issue is that none of the security policy IP ranges allows me to send the syslog information for a specific IP address that is going out to the internet at least that I can find. Any ideas would be appreciated


L7 Applicator

I'm not sure I understand the question.

syslog traffic will source from your mgmt interface and ip address.

Is your syslog server out the internet side of your Palo Alto then?

You would need a policy that permits your mgmt address out to untrust and probably a nat policy to the interface address for the traffic as well.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

Hi Jprovine,

I am agree with Mr. Steven, please the check the service route for syslog and check the traffic logs. traffic is allowing or blocking by firewall.




what I am saying is that I had no problem configuring syslog to a Linux server I have. The issue is that I want to track a specific IP address, so I want to collect the traffic from and internal IP address to the internet and I want to know if there is a way to be that granular. I have created my syslog forwarder and now I am going through the security policies and adding it as an action to forward the logs to my syslog server but I am getting a lot more information than I want. Instead of a rand of 136.155.x.0-136.155.x.254 I only want the information coming from to the internet to captured and forwarded to the syslog server.

L4 Transporter

Hi Jprovine,

As my understand, you need to create custom report as per your requirement but i am sure about it. it will work or not.




No I am forwarding  from the PA  logs to an external log server

My 2 cents and i am pretty sure you would have done it, but to make sure:

please have a standalone syslog server, create a security policy that specifically works on the interested ip address and then forward it to syslog server.

with that you should only see the traffic generated by that particular ip.



Hi Harry

Yes I had been thinking that very thing

I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative?


thanks, if you put that above the rest of the traffic, it should not affect anything else, palo would simply see it as another acl,

you may,get a warning when commiting that the rules are shadowing, but it's fair to live with,

if your bottom rules have a broader ip range, like a subnet , and the above rule has just an ip, it should not show that warning.too.

let me know how it goes.



Have you ever know of anyone to try to be this granular in the collection of logs?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!