Syslogs vs. Traffic Logs in Monitor

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Syslogs vs. Traffic Logs in Monitor

L0 Member

Good evening,

 

I am working on a project that requires the use of threat logs and traffic logs of an institution with which I am affiliated. Our security manager can provide me access to our threat logs via the Monitor tab in PAN-OS. However, we are experiencing difficulty finding the traffic logs I need.

 

I am looking for specific traffic logs, including the following features described in Traffic Log Fields:

  • Serial Number
  • Type
  • Threat/Content Type
  • Generate Time
  • Session ID
  • Repeat Count
  • Flags
  • Action
  • Bytes
  • Bytes Sent, Bytes Received
  • Packets, Packets Sent, Packets Received
  • Start Time
  • Elapsed Time
  • Session End Reason
  • Device Name

In conversations with the security manager, he says, "that articles refers to what you can push to syslog.. our logrythm system. Not what you can see on their logs. I am trying to see what else we can view." When I asked for clarification, he stated, "The document you cite is in regards to data sent to syslogs, not what is actually available via our log export on the traffic section of monitor." He isn't sure how or where we can find the aforementioned data features I am looking for.

 

I have two questions:

  1. Is there a relatively easy way for someone who has access to PAN-OS to download traffic log data containing those fields?
  2. What is the difference between the logs in Monitor versus those in the Syslog?
  3. What data is available via log export from the web interface? Can I include the fields in my list above that are missing from the logs he found in the web interface?

Thank you so much for your help. I am brand new to PAN-OS, and my coworker is doing me a favor by getting logs for me, so I want to be sure we can find them before I ask him to look again.

1 REPLY 1

Cyber Elite
Cyber Elite

logs that are forwarded to syslog need to have some fields added to be 'compatible' with syslog that don't necessarily make sense in the firewall's own log views (threat has its own view vs traffic, so in the GUI they're split up while in syslog some need to be combined to make sense to the syslog server)

The unified log view offers more 'fields' to pick from as it combines those separate logs in one view, you will be able to pick the ones you need from there and export as csv

 

2020-12-23_10-28-19.jpg

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2866 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!