This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Syslogs vs. Traffic Logs in Monitor

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Syslogs vs. Traffic Logs in Monitor

mjackson1
L0 Member

‎12-22-2020 05:11 PM

Good evening,

 

I am working on a project that requires the use of threat logs and traffic logs of an institution with which I am affiliated. Our security manager can provide me access to our threat logs via the Monitor tab in PAN-OS. However, we are experiencing difficulty finding the traffic logs I need.

 

I am looking for specific traffic logs, including the following features described in Traffic Log Fields:

  • Serial Number
  • Type
  • Threat/Content Type
  • Generate Time
  • Session ID
  • Repeat Count
  • Flags
  • Action
  • Bytes
  • Bytes Sent, Bytes Received
  • Packets, Packets Sent, Packets Received
  • Start Time
  • Elapsed Time
  • Session End Reason
  • Device Name

In conversations with the security manager, he says, "that articles refers to what you can push to syslog.. our logrythm system. Not what you can see on their logs. I am trying to see what else we can view." When I asked for clarification, he stated, "The document you cite is in regards to data sent to syslogs, not what is actually available via our log export on the traffic section of monitor." He isn't sure how or where we can find the aforementioned data features I am looking for.

 

I have two questions:

  1. Is there a relatively easy way for someone who has access to PAN-OS to download traffic log data containing those fields?
  2. What is the difference between the logs in Monitor versus those in the Syslog?
  3. What data is available via log export from the web interface? Can I include the fields in my list above that are missing from the logs he found in the web interface?

Thank you so much for your help. I am brand new to PAN-OS, and my coworker is doing me a favor by getting logs for me, so I want to be sure we can find them before I ask him to look again.

1 person had this problem.
0 Likes Likes
1 REPLY 1

reaper
Cyber Elite
Cyber Elite

‎12-23-2020 01:34 AM

logs that are forwarded to syslog need to have some fields added to be 'compatible' with syslog that don't necessarily make sense in the firewall's own log views (threat has its own view vs traffic, so in the GUI they're split up while in syslog some need to be combined to make sense to the syslog server)

The unified log view offers more 'fields' to pick from as it combines those separate logs in one view, you will be able to pick the ones you need from there and export as csv

 

2020-12-23_10-28-19.jpg

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 2265 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks