This article will describe the steps required to configure Palo Alto to send Syslog messages to the RocketAgent Syslog Server
CREATE SYSLOG PROFILE
- Open your Palo Alto dashboard.
- Navigate to Devices > Server Profiles > Syslog
- Click Add and enter a Name for the syslog profile, i.e. RocketCyber SOC syslog
Server - the IP address of the specified device chosen in the RocketCyber firewall log analyzer
Transport - select UDP
Port - the default Palo Alto port is 1514, change this to 514
Format - select BSD
Facility - the default standard syslog value should be set to LOG_USER
- Click OK to save the syslog profile
CONFIGURE SYSLOG FORWARDING PROFILE
- Navigate to Objects > Log Forwarding, click Add and Enter a name (common to use the same as above ~ RocketCyber SOC syslog.
- For each log type, severity level and Wildfire verdict, select the syslog server profile, and click OK.
- Assign the log forwarding profile to security rules.
Optional - CONFIGURE SECURITY POLICY RULE AS LOG FORWARDING
- Navigate to Policies > Security
- Click the policy desired to be added to the log forwarding.
- Select Actions.
- Select Log Forwarding Profile from dropdown ~RocketCyber SOC syslog
- Click OK