Skip to main content

Palo Alto Firewall Syslog Filter Documentation

Introduction

This guide outlines how to configure Syslog filters on Palo Alto Networks firewalls to control which logs are sent to external Syslog servers. Proper filtering reduces noise, focuses on relevant events, and improves SIEM performance.

Syslog Overview

Syslog is a protocol used to send logs from network devices to centralized logging systems. Palo Alto firewalls support syslog forwarding for various log types: traffic, threat, system, and configuration.

Components Involved

Component

Description

Syslog Server Profile

Defines the destination server and syslog transport type

Log Forwarding Profile

Specifies what logs to forward and to whom

Security Policy

Determines when logs are generated and which are forwarded

Configuration Steps
1. Create Syslog Server Profile
 Navigate to: Device > Server Profiles > Syslog
Steps:

  1. Click Add to create a new profile.
    2025-06-19_11-20.png

  2. Enter a Name (e.g., SIEM-Syslog).
    syslog name.png

  3. Under Syslog Server, click Add and enter:

    • Name: e.g., SIEM-Server

    • Server: IP or hostname of your syslog server

    • Transport: UDP, TCP, or SSL

    • Port: Default is 514 (UDP)

    • Facility: e.g., local4

    • Format: BSD or IETF
      2025-06-19_11-33.png

  4. (Optional) Add a Filter to specify:

    • Log Type: Threat

    • Severity: High
      levels.png

  5. Click OK

2. Create Log Forwarding Profile

Navigate to: Objects > Log Forwarding

objects.png

Steps:

  1. Click Add to create a new log forwarding profile.
    add.png

  2. Name it (example: syslog) 

  3. Under Log Type, click Add and configure:
    syslog .png

    • Log Type: Select Threat
      traffic.png

    • Filter (optional): For example, (severity eq high)

    • Forward Method: Select the Syslog Server Profile you created, click Add then select the one you created

  4. Click OK
    methof.png
    okay.png

3. Apply Log Forwarding to Security Policy

Navigate to:  Policies > Security

sections.png

Steps:

  1. Locate and edit the security policy you want to apply logging to.

  2. Click the Actions tab.

  3. In the Log Forwarding field, select the log forwarding profile you created.

  4. (Optional) Enable logging at session start/end.

  5. Click OK and then Commit your changes.
    fd.png

 

 Please provide the following information to CyTech 

Requirements:Collect logs via syslog over UDP or TCP

  *Syslog Host-> Syslog Collector IP address where the Elastic-Agent is installed.
  *Syslog Port-> Port Number (Please identify if TCP or UDP)

 

Reference Links: 

 

 

If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.

No Comments
Back to top