Ask the Community
Groups
How do I configure remote syslog forwarding for Palo Alto firewalls - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="this-article-will-describe-the-steps-required-to-configure-palo-alto-to-send-syslog-messages-to-the-rocketagent-syslog-server">This article will describe the steps required to configure Palo Alto to send Syslog messages to the RocketAgent Syslog Server</h2> <p><strong>CREATE SYSLOG PROFILE</strong></p> <ol><li>Open your Palo Alto dashboard.</li> <li>Navigate to <strong>Devices > Server Profiles > Syslog</strong> </li> <li>Click <strong>Add</strong> and enter a <strong>Name</strong> for the syslog profile, i.e. <em>RocketCyber SOC syslog</em> </li> <li> <strong>Server</strong> - the IP address of the specified device chosen in the RocketCyber firewall log analyzer</li> <li> <strong>Transport</strong> - select UDP</li> <li> <strong>Port</strong> - the default Palo Alto port is 1514, change this to 514</li> <li> <strong>Format</strong> - select BSD</li> <li> <strong>Facility</strong> - the default standard syslog value should be set to LOG_USER unless facilities have been modified by your FW admin. See more info here: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2Fgeneral-topics%2Flog-local%2Ftd-p%2F12122">https://live.paloaltonetworks.com/t5/general-topics/log-local/td-p/12122</a></li> <li>Click <strong>OK</strong> to save the syslog profile</li> </ol><p><strong>CONFIGURE SYSLOG FORWARDING PROFILE</strong></p> <ol><li>Navigate to <strong>Objects > Log Forwarding</strong>, click <strong>Add</strong> and <strong>Enter</strong> a name (common to use the same as above ~ <em>RocketCyber SOC syslog</em>.</li> <li>For each log type, severity level and Wildfire verdict, select the syslog server profile, and click <strong>OK</strong>.</li> <li>Assign the log forwarding profile to security rules.</li> </ol><p> </p> <p><strong>CONFIGURE SECURITY POLICY RULE AS LOG FORWARDING</strong></p> <ol><li>Navigate to <strong>Policies > Security</strong> </li> <li>Click the policy desired to be added to the log forwarding.</li> <li>Select <strong>Actions</strong>.</li> <li>Select <strong>Log Forwarding Profile</strong> from dropdown ~RocketCyber SOC syslog</li> <li>Click <strong>OK</strong> </li> </ol><p> </p> <p><strong>CONFIGURE SYSLOG FORWARDING - for System, Config, and Correlation logs</strong></p> <ol><li>Navigate to <strong>Device > Log Settings</strong> </li> <li>For system and correlation logs, select each severity level, select the Syslog server profile, then ok.</li> <li>For HIP match, config and correlation logs, select the Edit icon, select the Syslog server profile, then ok</li> <li>Commit the changes.</li> </ol> </article> </main>