How to configure Syslog Server for Logs Forwarding in Palo Alto Firewall

In this article, we will configure the Syslog Server in Palo Alto Next-Generation Firewall. As you already know a Syslog server can collect the logs from various Network & Network devices. So, In this article, we will configure a Syslog Server on the Palo Alto Firewall and Forward the Logs to the Syslog Server. Please ensure you have the proper privileges to make changes to the Firewall. So, let’s start!

how-to-configure-syslog-server-in-palo-alto

How to configure Syslog Server and forward Logs to Syslog Server in Palo Alto Firewall

In Palo Alto Next-Generation Firewall you can configure Syslog Server to forward different types of logs. We can forward Traffic (Authentication, Data, Threat, Traffic, Tunnel, URL & WildFire) and System logs to different types of log collection solutions, i.e. Syslog, Panorama, etc. You just need to follow the following steps to configure logs forwarding to the Syslog Server.

Step 1: Configure the Syslog Server Profile in Palo Alto Firewall

First, we need to configure the Syslog Server Profile in Palo Alto Firewall. Navigate to Device >> Server Profiles >> Syslog and click on Add. Here, you need to configure the Name for the Syslog Profile, i.e. Syslog_Profile. It must be unique from other Syslog Server profiles. In the Server tab, click Add. Here, you need to configure the following details:

how-to-configure-syslog-server-profile-palo-alto-firewall

In this example, the Syslog Server Name is SyslogGNS3_LAB & it is configured on 10.10.10.100. All the other fields are the default for now. I’ve added the Screenshot for your reference.

syslog-server-profile-in-palo-alto-firewall

  • Name: It is the Name of the Syslog Server. It can be anything as per your choice but must be less than 31 characters.
  • Syslog Server: Here, you need to define the IP address or FQDN of the Syslog Server.
  • Transport: It can be UDP, TCP or SSL. The default is UDP.
  • Port: Port filed is for the port number on which Destination Server works. The default is 514 for UDP. However, it will change if you want to forwards the logs over TCP or SSL.
  • Format: BSD or IETF. You can read further on BSD (rfc3164) or IETF (rfc5424).
  • Facility: The default field is LOG_USER. However, this depends on the destination Syslog server, i.e. How to destination Syslog server manages logs.

Note: You can define multiple Syslog Servers in the same Syslog Profile.

Step 2: Configure the Custom Log Format for Syslog Server

Today, many vendors offer the Syslog Server Solution. However, they store the logs in their own way. So, Palo Alto Next-Generation allows you to configure the Custom Log Format. Depending on your Syslog Solution, you need to configure the Syslog Custom Logs. If you are just testing you your configuration with any one of the open-source software you can skip this step. However, if you are using Syslog Solution that requires the Common Event Format (CEF) format, then you need to configure Custom logs as configured below.

Custom Syslog Log Format for Common Event Format (CEF) on Palo Alto Firewall

custom-log-format-for-syslog-palo-alto-firewall

Here, you need to define the custom log format for Config, System, Threat, Traffic, URL, Data, WildFire, Tunnel, Authentication, User-ID and HIP Match. You can read more about Common Event Format (CEF) Format here.

Warrning: Below Common Event Format (CEF) custom log format only works for PANOS 8 and Higher!

1.Traffic

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno reason=$session_end_reason PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name cat=$action_source PanOSActionFlags=$actionflags PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel

2. Threat

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$numberof-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver

3. URL

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$numberof-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno requestContext=$contenttype cat=$threatid fileId=$pcap_id requestMethod=$http_method requestClientApplication=$user_agent PanOSXForwarderfor=$xff PanOSReferer=$referer PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver

4. Data

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$numberof-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver

5. WildFire

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$numberof-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest fileType=$filetype suid=$sender msg=$subject duid=$recipient oldFileId=$reportid PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver

6. Config

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$result|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial shost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSActionFlags=$actionflags Optional: cs1Label=Before Change Detail cs1=$before-change-detail cs2Label=After Change Detail cs2=$after-change-detail

7. System

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$numberof-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$opaque externalId=$seqno cat=$eventid PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSActionFlags=$actionflags

8. HIP Match

CEF:0|Palo Alto Networks|PANOS|$sender_sw_version|$matchtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno cat=$matchname start=$cef-formatted-time_generated cs2Label=Operating System cs2=$os PanOSActionFlags=$actionflags PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name cn2Label=Virtual System ID cn2=$vsys_id c6a2Label=IPv6 Source Address c6a2=$srcipv6

9. Authenatication

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial cs1Label=Server Profile cs1=$serverprofile cs2Label=Normalize User cs2=$normalize_user cs3Label=Virtual System cs3=$vsys cs4Label=Authentication Policy cs4=$authpolicy cs5Label=Client Type cs5=$clienttype cs6Label=Log Action cs6=$logset fname=$object cn1Label=Factor Number cn1=$factorno cn2Label=Authentication ID cn2=$authid src=$ip cnt=$repeatcnt duser=$user flexString2Label=Vendor flexString2=$vendor msg=$event externalId=$seqno PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSActionFlags=$actionflags PanOSDesc=$desc

10. User ID

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial cs1Label=Factor Type cs1=$factortype cs3Label=Virtual System cs3=$vsys cs4Label=Data Source Name cs4=$datasourcename cs5Label=Data Source cs5=$datasource cs6Label=Data Source Type cs6=$datasourcetype cn1Label=Factor Number cn1=$factorno cn2Label=Virtual System ID cn2=$vsys_id cn3Label=Timeout Threshold cn3=$timeout src=$ip spt=$beginport dpt=$endport cnt=$repeatcnt duser=$user externalId=$seqno cat=$eventid end=$factorcompletiontime PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSActionFlags=$actionflags

11. Tunnel

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|1|rt=$cefformatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=Log Action cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action externalId=$seqno PanOSActionFlags=$actionflags PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time cs2Label=Tunnel Type cs2=$tunnel flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsSent=$pkts_sent PanOSPacketsReceived=$pkts_received flexNumber2Label=Maximum Encapsulation flexNumber2=$max_encap cfp1Label=Unknown Protocol cfp1=$unknown_proto cfp2Label=Strict Checking cfp2=$strict_check PanOSTunnelFragment=$tunnel_fragment cfp3Label=Sessions Created cfp3=$sessions_created cfp4Label=Sessions Closed cfp4=$sessions_closed reason=$session_end_reason cat=$action_source start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed

12. Correlation

CEF:0|Palo Alto Networks|PAN-OS|8.0|$category|$type|$severity|rt=$cefformatted-receive_time deviceExternalId=$serial start=$cef-formattedtime_generated src=$src suser=$srcuser cs3Label=Virtual System cs3=$vsys severity=$severity PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name cn2Label=Virtual System ID cn2=$vsys_id fname=$object_name cn3Label=Object ID cn3=$object_id msg=$evidence

Step3: Configure The Log Forwarding Profile for Syslog in Palo Alto Firewall

Now, we need to configure the Log Forwarding Profile in Palo Alto Firewall. An Log Forwarding profile hepls us to forwards the traffic logs to the different log collection solution. To configure Log Forwarding Profile, Navigate to Objects >> Log Forwarding and click on Add. Provide the Name of this Profile, i.e. GNS3Network_Log_Profile.¬† Now, In this log Forwarding Profile, you need to define various types of Logs. In this example, I’am using Traffic, Auth, Threat and Data Logs. You need to configure it as shown below:

log-forwarding-profile-palo-alto

traffic-logs-for-log-forwarding-profile-palo-alto

Step 4: Applying the Log Forwarding Profile to the Security Policies

Now, we need to apply the Log Forwarding Profile to the Security Policies. All the traffic which hits to the Security Policy on which you applied the Log Forwarding Profile, the traffic logs will be the send to all the destinations, you defined in Log Forwarding Profile. In this example, I defined our Syslog Server for Log Forwarding, So, all logs will be forwarded to the destination server. To configure Log Forwarding Profile in Security Policy, Just Select the Security Policy and go to the Action Tab. In Log Forwarding Field, select the profile we created in previous step.

applying-the-log-forwarding-profile-to-the-security-rule

Once you applied the Log Forwarding Profile to a security policy, the Log Forwarding Icon will be visible there.

log-fowarding-profile-icon-to-a-security-policy

Step 5: Configuring the Service Route on Palo Alto Firewall

Here, you need to identify, how firewall communicates with the Syslog Server. If the Firewall communicated with Syslog Server using Management Interface itself, then you do not need to make the default changes. However, if the Syslog server is communicated with any other data plane interfaces, you need to specify the service route. You can configure the service route by navigating Devices >> Service >> Service Route Configuration. Then select the interface on which Firewall is communicated with the Server.

Note: In this example, my service route is default, i.e. Management Interface!

Step 6: Commit the changes

This is the final step. Just commit all the changes, we had done. To commit, locate the Commit Button/Link on the top right corner. If you getting any error, you need to re-verify all of our configurations.

Step 7: Verifying the configuration

I’ve set-up the Syslog Server for log collection. My Syslog Server is 10.10.10.100. All the traffic which hits the security rule on which configured Log Forwarding will send the logs to the Syslog Server. So, let’s check the logs on the Syslog Server.

syslog-server-for-the-palo-alto-firewall

If you double click to one of the logs, you will find the detailed information for the log!

syslog-detailed-message

References

Related Articles

Summary

In this article, we configured and verified the Syslog Server Configuration on Palo Alto Next-Generation Firewall. Syslog Server helps us to store the historical logs gathered from the Network & Network Security devices. We configured Syslog Server Profile. After, we configured Log Forwarding Profile for log forwarding to the Syslog server. Finally, we applied the Log Forwarding profile to the security Policy and commit all changes. At last, we checked the same on the open-source Visual Syslog Server. We are able to find all the logs on the Syslog Server. That’s it! We have done all the configuration of the Syslog Server.

Did you like this article? If you getting any challange, please let me know in the comment box!

Leave a Reply

Your email address will not be published. Required fields are marked *