Skip to content Skip to main navigation Skip to footer

Forwarding Palo Alto Logs to Cyfin Syslog Server

The following steps are required to forward Palo Alto logs to Cyfin Syslog Server:

  • Create a syslog server profile.
  • Configure a log forwarding profile to select the logs to be forwarded to Cyfin Syslog Server.
  • Assign the log forwarding profile to security rules.

The logs that must be forwarded are the Threat logs with Informational severity. Informational Threat logs include URL Filtering, Data Filtering, and WildFire logs.

Syslog Server Profile

  1. In your Palo Alto Firewall user interface, go to Device – Server Profiles – Syslog.
  2. Click Add at the bottom of the screen.
  3. Enter the following information:
    • Name – Cyfin
    • Syslog Server – IP address of where Cyfin is installed
    • Transport – UDP
    • Port – 1455
    • Format – BSD
    • Facility – LOG_USER
  4. Click OK to save the server profile.
  5. Click Commit at the top of the screen to commit the change.

serverprofilesmall

Log Forwarding Profile

    1. Go to Objects > Log Forwarding.
    2. Click Add to create a new log forwarding profile.
    3. Enter a Name to identify the profile.

    To forward each log type (Threat, URL, and Traffic), complete the following:

    Step 1: Configure Log Types

    1. Select the Log Type from the list:
      • For Threat logs, select severity Informational in the Filter drop-down menu.
      • For URL logs, select severity Informational in the Filter drop-down menu.
      • For Traffic logs, leave the Filter setting at All Logs.

    Step 2: Configure Syslog Server

    1. Under Syslog, click Add.
    2. Select the Syslog Server Profile created in the previous steps (e.g., Cyfin).
    3. Repeat steps 1 and 2 for each log type (Threat, URL, and Traffic) you want to forward.
    4. Click OK to save the profile.
    5. Click Commit at the top of the screen to save and apply the changes.

LogForwardingProfiles

URL Filtering Profile

To log the traffic from URL Filtering logs, you may need to adjust the Site Access for each allowed URL category.

  1. Go to Objects – URL Filtering – URL Filtering Profile.
  2. Select Categories – Site Access.
  3. Filter by “Allow.”
  4. Change “Allow” to “Alert” for each category listed.

Security Policy Rule

  1. Go to Policies – Security.
  2. Select the rule for which the log forwarding needs to be applied.
  3. Apply the security profile to the rule.
  4. Go to Actions and in the Log Forwarding drop-down field, select the log forwarding profile.
  5. Click OK. By default, when Threat logs are forwarded to Cyfin Syslog Server, the logs will have several fields including source IP address, destination IP address, and URL.
  6. Click Commit at the top of the screen to commit the change.

Now, you can configure Cyfin to write the forwarded Palo Alto log files to syslogYYYYXXXX.txt files. See Cyfin Configurations Steps for more information.

Additional Resources: