Skip to main content

Palo Alto Firewall Syslog Filter Documentation

1. Introduction

This guide outlines how to configure Syslog filters on Palo Alto Networks firewalls to control which logs are sent to external Syslog servers. Proper filtering reduces noise, focuses on relevant events, and improves SIEM performance.

2. Syslog Overview

Syslog is a protocol used to send logs from network devices to centralized logging systems. Palo Alto firewalls support syslog forwarding for various log types: traffic, threat, system, and configuration.

3. Components Involved

Component
Description
Syslog Server Profile
Defines the destination server and syslog transport type
Log Forwarding Profile
Specifies what logs to forward and to whom
Security Policy
Determines when logs are generated and which are forwarded

4. Configuration Steps
4.1 Create Syslog Server Profile
 Navigate to: Device > Server Profiles > Syslog
Steps:

  1. Click Add to create a new profile.
    2025-06-19_11-20.png

  2. Enter a Name (e.g., SIEM-Syslog).
    syslog name.png

  3. Under Syslog Server, click Add and enter:

    • Name: e.g., SIEM-Server

    • Server: IP or hostname of your syslog server

    • Transport: UDP, TCP, or SSL

    • Port: Default is 514 (UDP)

    • Facility: e.g., local4

    • Format: BSD or IETF
      2025-06-19_11-33.png

  4. (Optional) Add a Filter to specify:

    • Log Type: Threat, Traffic, System, Config

    • Severity: Info, Low, Medium, High, Critical
      levels.png

  5. Click OK

4.2 Create Log Forwarding Profile
Navigate to: Objects > Log Forwarding

objects.png

Steps:

  1. Click Add to create a new log forwarding profile.
    add.png

  2. Name it (example: syslog) 

  3. Under Log Type, click Add and configure:
    syslog .png

    • Log Type: Select Threat or Traffic
      traffic.png

    • Filter (optional): For example, (severity eq high)

    • Forward Method: Select the Syslog Server Profile you created, click Add then select the one you created

  4. Click OK
    methof.png
    okay.png

4.3 Apply Log Forwarding to Security Policy
Navigate to:  Policies > Security

sections.png

Steps:

  1. Locate and edit the security policy you want to apply logging to.

  2. Click the Actions tab.

  3. In the Log Forwarding field, select the log forwarding profile you created.

  4. (Optional) Enable logging at session start/end.

  5. Click OK and then Commit your changes.
    fd.png

Reference Links: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring
Reference Video: https://www.youtube.com/watch?v=ftR3DU2MtjY&t=137s

No Comments
Back to top