Configure remote syslog forwarding for Palo Alto firewalls

Configure remote syslog forwarding for Palo Alto firewalls

This article will describe the steps required to configure Palo Alto to send Syslog messages to the RocketAgent Syslog Server

Create Syslog Profile

  1. Open your Palo Alto dashboard.
  2. Navigate to Devices > Server Profiles > Syslog
  3. Click Add and enter a Name for the syslog profile, i.e. RocketCyber SOC syslog
  4. Server - the IP address of the specified device chosen in the RocketCyber firewall log analyzer
  5. Transport - select UDP
  6. Port - the default Palo Alto port is 1514, change this to 514
  7. Format - select BSD
  8. Facility - the default standard syslog value should be set to LOG_USER unless facilities have been modified by your FW admin. See more info here: https://live.paloaltonetworks.com/t5/general-topics/log-local/td-p/12122
  9. Click OK to save the syslog profile

Configure Syslog Forwarding Profile

  1. Navigate to Objects > Log Forwarding, click Add and Enter a name (common to use the same as above ~ RocketCyber SOC syslog.
  2. For each log type, severity level and Wildfire verdict, select the syslog server profile, and click OK.
  3. Assign the log forwarding profile to security rules.

Configure Security Policy Rule As Log Forwarding

  1. Navigate to Policies > Security
  2. Click the policy desired to be added to the log forwarding.
  3. Select Actions.
  4. Select Log Forwarding Profile from dropdown ~RocketCyber SOC syslog
  5. Click OK

Configure Syslog Forwarding - for System, Config, and Correlation logs

  1. Navigate to Device > Log Settings
  2. For system and correlation logs, select each severity level, select the Syslog server profile, then ok.
  3. For HIP match, config and correlation logs, select the Edit icon, select the Syslog server profile, then ok
  4. Commit the changes.

    • Related Articles

    • Configure syslog remote logging for a SonicWall firewall

      This article provides instruction on how to set up and enable Syslog forwarding on a SonicWall firewall. Logon to the firewall as admin. Navigate to Manage | Log Settings | SYSLOG Click on the Add button Select the Name or IP address of the Syslog ...

    • Configure syslog remote logging for a Sophos firewall

      This article provides instruction on how to set up and enable Syslog forwarding on a Sophos firewall Configure Syslog Server Navigate to System Services > Log Settings and click Add to configure a Syslog server. Enter a Name for the Syslog server. ...

    • Configure remote syslog logging for a Fortinet Firewall

      This article describes the steps to configure Fortinet Firewalls to send syslog data to the RocketCyber Firewall Analyzer Configure your FortiGate firewall settings Configure the FortiGate firewall settings for your specific FortiOS operating system. ...

    • Configure remote syslog logging for a WatchGuard Firewall

      This article describes the steps required to configure a WatchGuard firewall to send Syslog messages to the RocketAgent Syslog Server To Configure the FireBox to send Syslog messages to the RocketAgent Syslog Server Select System > Logging. Click the ...

    • Configure syslog remote logging for a Ubiquiti Unifi Security Gateway (USG)

      This article will walk through the steps required to send Syslog data from a Ubiquiti USG device to the RocketCyber Firewall Analyzer Enable Remote Logging 1. Log in to the Unifi Network Controller and click on Settings (gear icon) at the bottom of ...