Forward Logs to a Syslog Server
Updated on
Apr 18, 2024
Focus
Download PDF
Updated on
Apr 18, 2024
Focus
- Home
- Strata Logging Service
- Forward Logs from Strata Logging Service
- Forward Logs to a Syslog Server
Download PDF
Strata Logging Service
Table of Contents
Learn how to forward logs from Strata Logging Service
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To meet your long-term storage, reportingand monitoring, or legal and compliance needs, you can configure Strata Logging Service
Strata Logging Service Strata Logging Service
Strata Logging Service Strata Logging Service Strata Logging Service
If you are using the Palo Alto NetworksSplunk app, forward logs using HTTPS instead.
(
QRadar only
) Add a log source in QRadarby using the TLS Syslog protocol.
For details about how to do this, see the IBM documentation.
Enable communication between
Strata Logging Service
and your syslog receiver.Ensure that your syslog receiver can connect to
Strata Logging Service
and can present a valid CA certificate to complete the connection request.Allow an inbound TLS feed to your syslog receiver from the IP address range that corresponds to your Strata Logging Service region.
Obtain either a certificate from a well-known, public CA or a self-signed certificate and install it on your receiver. Please make sure that if you are using a certificate signed by a private CA, it contains CRL or OCSP information needed for certificate revocation checks.
Because
Strata Logging Service
validates the server certificate to establish a connection, you must verify that the receiver is configured to properly send the TLS certificate chain toStrata Logging Service
. If the app cannot verify that the certificate of the receiver and all CAs in the chain are trustworthy, the connection cannot be established. See the list of trusted certificates.
Sign In
to the hub at https://apps.paloaltonetworks.com/.Select the
Strata Logging Service
instance that you want toconfigure for syslog forwarding.If you have multiple
Strata Logging Service
instances, clicktheStrata Logging Service
tile and select an instance from the list ofthose available.Select
to add a new Syslog forwardingprofile.Log Forwarding
Add
Enter a descriptive
Name
forthe profile.Enter the
Syslog Server
IPv4address or FQDN.Ensure that the value entered here matchesthe Subject Alternative Name (SAN) of the certificate installedon your syslog server.
Enter the
Port
on whichthe syslog server is listening.The default port for syslog messages over TLS is 6514.
Select the
Facility
.Choose one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see the IETF standard for the log format (CSV, LEEF, or CEF) that you will choose in the next step.
(
Optional
) Upload a self-signed certificate if you do not want to use a publicly signed certificate.
(
Optional
)
Upload
the private Root CA and intermediate CAs (If an intermediate CA exists). Do not upload the certificate issued for the syslog server—only CA certificates are needed to verify the chain from the syslog server.Only do this if you installed a private CA-signed, self-signed certificate on your receiver, or the public CA is not in the list of trusted CAs. The file containing the certificates must be in PEM format.
(
Optional
) Enable client authentication.
Do this if company or regulatory policy requires client authentication when forwarding logs to your server.
Download
the certificate chain.Upload the certificate chain to your server.
Refer to the documentation for your server management software to find out how to do this.
TestConnection
to ensure thatStrata Logging Service
can communicatewith the receiver.This checks TLS connectivity to verify that transmissionis possible.
If the test fails, youcan not proceed.
Click
Next
.Specify the
Format
in whichyou would like to forward your logs.The log format (CSV, LEEF, or CEF) that you should select depends on the destination of your log data.
Specify the
Delimiter
thatyou would like to separate the fields in your log messages.(
Optional
) To receive a
STATUSNOTIFICATION
whenStrata Logging Service
is unable to connectto the syslog server, enter the email address at which you’d liketo receive the notification.You will continue to receive these notifications every 60minutes until connectivity is restored. If the connectivity issueis addressed within 72 hours, no logs will be lost. However, anylog older than 72 hours following the service disconnection couldbe lost.
(
Optional
) Enter a
PROFILE TOKEN
tosend logs to a cloud syslog receiver.If you use a third-party cloud-based syslog service, youcan enter a token that
Strata Logging Service
inserts into each syslogmessage so that the cloud syslog provider can identify the sourceof the logs.Follow your cloud syslog provider’s instructionsfor generating an identifying token.
Enter the
Profile Token
.Tokens have a maximum length of 128 characters.
Select the logs you want to forward.
Add
a new log filter.Select the log type.
TheThreat log type does not include URL logs or Data logs. If you wishto forward these log types, you must add them individually.
(Optional)
Create a log filter to forward only the logs that are most critical to you.
You caneither write your own queries from scratch or use the query builder. Youcan also select the query field to choose from among a set of commonpredefined queries.
Log filters function like queries in Explore, with the following differences:
No double quotes (“”).
No subnet masks. To return IP addresses with subnets, use the
LIKE
operator. Example: src_ip.value LIKE “192.1.1.%”.
Ifyou want to forward all logs of the type you selected, do not entera query. Instead, proceed to the next step.
Save
your changes.
Save
your changes.Verify that the
Status
of your Syslog forwarding profile isRunning
().Verify that you can view logs on the syslog receiver.
For details about the log format, refer to the Syslog field descriptions (Selectthe PAN-OS Administrator’s Guide for your firewall version).
(
Optional
) You can use the running Syslog forwarding profile to forward past logs spanning up to 3 days.
When configuring event source mapping in your SIEM,be aware that the hostname value can change in the hostname fieldof the syslog message sent from Strata Logging Service
For example,
Oct 8 15:26:51 stream-logfwd20-602226222-10061338-i2hh-harness-r9kt logforwarder LEEF:2.0|Palo Alto Networks|Next Generation
mightchange to
Oct 8 15:26:51 stream-logfwd20-602226222-10061338-i2hh-harness-
a7b1
logforwarder LEEF:2.0|Palo Alto Networks|Next Generation
Achange to your log forwarding configuration or a new feature/fixcould change the hostname value and break event source mapping ifyou are using an exact match on the hostname.
If hostnameexact matching is required by the SIEM, consider using a middlesyslog host to rewrite the log forward to a static hostname so thatchanges to hostname values don't affect log source mappings.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}