We have PA with version 9.0.4 and have to configure Syslog server log forwarding on the same. Created (syslog) server profile..Now creating "Log Forwarding Profile" there are options "forward method" and "built-in-action" available there. which is not giving so much clarity what need to be configure there, Referred few articles available on Internet but no-one giving much clarity for the configuration side.
Requesting suggestion for further configuration.
You will be using the forward portion of the Log Forwarding Profile.
Create the profile.
Add in what notifications you want (Threat logs... ok... ALL logs?... log geq medium? ok.)
Where do you want these log messages to be fwd to? SNMP, email, syslog, Panorama. ok... good
Next, modify your security policy and apply the log forward profile to whatever rules you want to be, well, log forwarded to.
Let me know how else I can assist.
What if we configure, as found some more ways probably (except Log Forwarding Profile)
1- Configure Syslog Server Profile
2- Device - Log Setting - System -> call Syslog Server created in profile -> Filter logs as per levels Critial , High, informational, Low, Medium.
Once configure, commit.
Is'nt also the correct way ..?
Well, that will work only if there are SYSTEM logs that match the various levels.
But if a CRITICAL malware or vulnerability came through the FW, this would NOT show up as a SYSTEM log message, and would not be forwarded.
If the concern is about SYSTEM logs.. that is fine.. but you are missing out on 99% of the threat notifications on the FW.
Is this what you are intending?
Thanks for Quick and instant responses.
Well, We need to check with client what they are actually intending. if they are OK with system logs then we are almost done as you rightly said with "Log setting" options.
But if they want Threat and other related logs to be available on Syslog then have to go for "LFP" option.
One more point at this moment : Where do we get option to set log levels (Critial , High, informational, Low, Medium) under Log Forwarding profile option. I can't find these anywhere there...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!