07-28-2020 01:27 PM
Yes. How you would go about doing so is slightly different due to the recent changes to log location in 9.1+ for GlobalProtect, but you have forwarding options across every release. What exactly are you looking to forward, and what what release are you actively running?
07-29-2020 04:47 AM
I want to get connect/disconnect events and possibly session statistics.
I'm currently on 9.1.0-h3.
07-30-2020 10:46 AM
Are you actually still running 9.1.0? If so, I would migrate to a newer release so you get some of those all important bug fixes from that initial release.
More directly to your question, under your device Log Settings you would want to add entries under the GlobalProtect logs. You would simply want an entry to capture the login/logout stage, as the logout event will include the login duration field which is measured in seconds.
((stage eq login) or (stage eq logout)) and not (auth_method eq Cookie)
Note that I've selected to not show Cookie authentications, but whether or not you include that statement is up to you and your configuration. Arguably, if your syslog server has enough space you might want to just not include a filter and keep 'All Logs' specified so your syslog server gets everything, but that may not be needed in your case.
07-31-2020 01:11 PM
I got vpn event syslog forwarding to work with the configuration step you specified, but the Syslog Server Profile I used had to also be associated with a Log Forwarding Profile. In the Log Forwarding Profile where you specify the Log Type (eg. auth, traffic, tunnel) it did not matter what I used.
07-31-2020 01:19 PM
The wording of your post above was kind of garbled. Are you still having an issue with this or are you good at this point?
07-31-2020 01:24 PM
Sorry for the confusion. It's working, regardless of the Log Forwarding Profile Log Type specified.
08-03-2020 05:52 AM
So now that it's working, I'd like to be able to send thru an IPsec tunnel to a collector on the other end.
I have set my SysLog Server profile with the target IP address, but the logs aren't getting into the tunnel.
Is there a trick to accomplish this?
08-03-2020 06:22 AM
It's now getting into the tunnel. I had to set a source interface/address on the syslog service route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!