Yes. How you would go about doing so is slightly different due to the recent changes to log location in 9.1+ for GlobalProtect, but you have forwarding options across every release. What exactly are you looking to forward, and what what release are you actively running?
Are you actually still running 9.1.0? If so, I would migrate to a newer release so you get some of those all important bug fixes from that initial release.
More directly to your question, under your device Log Settings you would want to add entries under the GlobalProtect logs. You would simply want an entry to capture the login/logout stage, as the logout event will include the login duration field which is measured in seconds.
((stage eq login) or (stage eq logout)) and not (auth_method eq Cookie)
Note that I've selected to not show Cookie authentications, but whether or not you include that statement is up to you and your configuration. Arguably, if your syslog server has enough space you might want to just not include a filter and keep 'All Logs' specified so your syslog server gets everything, but that may not be needed in your case.
I got vpn event syslog forwarding to work with the configuration step you specified, but the Syslog Server Profile I used had to also be associated with a Log Forwarding Profile. In the Log Forwarding Profile where you specify the Log Type (eg. auth, traffic, tunnel) it did not matter what I used.
So now that it's working, I'd like to be able to send thru an IPsec tunnel to a collector on the other end.
I have set my SysLog Server profile with the target IP address, but the logs aren't getting into the tunnel.
Is there a trick to accomplish this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!