Create a Remote Log Source - Palo Alto Firewall

Topics Discussed

You can use this document to add a remote log collector to a Palo Alto Firewall remote device (log source).

Pre-deployment considerations

Before you begin, review the following requirements:

Log Relay

For remote log collection, you must have a Log Relay server on your account.

• To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.

Assumptions

• The firewall is running PAN-OS version 8.1.x

• The device is already set up and configured with the security policies that are needed

• You are allowing traffic through TCP port 10206

Forwarding traffic logs from a Palo Alto Networks firewall to a syslog server has four main steps:

1. Create a syslog server profile

2. Create a log forwarding profile

3. Use the log forwarding profile in your security policy

4. Commit the changes
   
   

The documentation below outlines steps 1-3.

Create a Syslog Server Profile

1. Log into the Palo Alto console.

2. Select Device, then select Server Profiles, followed by Syslog.

3. In the bottom left-side of the screen, click Add to create a new server profile.

4. In the Syslog Server Profile window, in the Name field, enter Log Relay Syslog Server Profile.

   1. Click Servers, then click Add to create a new server.

      1. Name the server Log Relay Input.

      2. In Syslog Server, input the IP address of the log relay.

      3. Set the Transport to TCP.

      4. Set the Port to 10206.

      5. Set the Format to BSD.

      6. Set the Facility to LOG_USER.

   2. On the Custom Log Format tab, change the Custom Format of each log type to the text provided in the table below.

      

   3. Click OK.

5. Select Device, then select Log Settings.

6. For each of the log types displayed (System, Configuration, User-ID, and HIP Match), click Add to add a new field to the table.

7. In Name, input a name that corresponds to the log type.

8. Set the Filter to All Logs.

9. In the Syslog window, click Add, then select the Log Relay Syslog Server Profile that you created in step 4.

10. Click OK.

11. Repeat steps 6-10 for each of the log types.
    
    
    

Create a Log Forwarding Profile

1. Select Objects, then select Log Forwarding.

2. In the bottom left-side of the screen, click Add to create a new Log Forwarding object.

3. In Name, enter Log Relay Forwarder.

4. Enter a description, indicating that this is the object that will be used to forward logs to the log relay.

5. Click Add to add a new log relay policy.

   1. In Name, enter Log Relay Auth.

   2. Enter a description, indicating that this is the log forwarding match list that will be used for auth logs.

   3. In Type, select auth.

   4. Set the Filter to All Logs.

6. On the Syslog screen, click Add, then select the Log Relay Syslog Server Profile that you created in step 4.

7. Click OK.

8. Repeat steps 19-20 for each of the log types that are listed.

   1. Change the titles and descriptions to match the corresponding log type.

9. Select Network, then select Zones.

    

10. Modify each zone that is configured on the device:

    1. In the Log Setting drop down menu, select Log Relay Forwarder.

Use the log forwarding profile in your security policy

1. Go to Policies > Security

   Open

   

2. Select the rule for which the log forwarding needs to be applied (Any Allow) in the following example:

3. Next, go to the Actions tab, select Log Forwarding Profile from the dropdown, and click OK when you are happy with your configuration:
   
   

4. After clicking OK, you will notice the forwarding icon in the 'Options' column of your security rule: