# Palo Alto Firewall Syslog Filter Documentation

##### **1. Introduction**

This guide outlines how to configure **Syslog filters** on Palo Alto Networks firewalls to control which logs are sent to external Syslog servers. Proper filtering reduces noise, focuses on relevant events, and improves SIEM performance.

##### **2. Syslog Overview**

Syslog is a protocol used to send logs from network devices to centralized logging systems. Palo Alto firewalls support syslog forwarding for various log types: **traffic**, **threat**, **system**, and **configuration**.

##### **3. Components Involved**

<div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" id="bkmrk-component-descriptio-1" tabindex="-1"><table border="1" class="w-fit min-w-(--thread-content-width)" data-end="1658" data-start="1224" style="width: 68.0952%; border-collapse: collapse; border-width: 1px;"><thead data-end="1310" data-start="1224"><tr data-end="1310" data-start="1224"><th data-col-size="sm" data-end="1249" data-start="1224" style="width: 28.2018%; border-width: 1px;">##### Component

</th><th data-col-size="md" data-end="1310" data-start="1249" style="width: 71.8183%; border-width: 1px;">##### Description

</th></tr></thead><tbody data-end="1658" data-start="1398"><tr data-end="1484" data-start="1398"><td data-col-size="sm" data-end="1423" data-start="1398" style="width: 28.2018%; border-width: 1px;">##### Syslog Server Profile

</td><td data-col-size="md" data-end="1484" data-start="1423" style="width: 71.8183%; border-width: 1px;">##### Defines the destination server and syslog transport type

</td></tr><tr data-end="1571" data-start="1485"><td data-col-size="sm" data-end="1510" data-start="1485" style="width: 28.2018%; border-width: 1px;">##### Log Forwarding Profile

</td><td data-col-size="md" data-end="1571" data-start="1510" style="width: 71.8183%; border-width: 1px;">##### Specifies what logs to forward and to whom

</td></tr><tr data-end="1658" data-start="1572"><td data-col-size="sm" data-end="1597" data-start="1572" style="width: 28.2018%; border-width: 1px;">##### Security Policy

</td><td data-col-size="md" data-end="1658" data-start="1597" style="width: 71.8183%; border-width: 1px;">##### Determines when logs are generated and which are forwarded

</td></tr></tbody></table>

</div>##### **<span style="color: rgb(53, 152, 219);">4. Configuration Steps</span>**  
**<span style="color: rgb(53, 152, 219);">4.1 Create Syslog Server Profile</span>**

#####  Navigate to: **Device** &gt; **Server Profiles** &gt; **Syslog**

##### **Steps:**

1. Click **Add** to create a new profile.  
    [![2025-06-19_11-20.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/UVKt7zpsTvW9bCUI-2025-06-19-11-20.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/UVKt7zpsTvW9bCUI-2025-06-19-11-20.png)
2. Enter a **Name (e.g., SIEM-Syslog). [![syslog name.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/KZGuGzwbBSly05zw-syslog-name.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/KZGuGzwbBSly05zw-syslog-name.png)**
3. Under **Syslog Server**, click **Add** and enter:
    
    
    - **Name**: e.g., SIEM-Server
    - **Server**: IP or hostname of your syslog server
    - **Transport**: UDP, TCP, or SSL
    - **Port**: Default is 514 (UDP)
    - **Facility**: e.g., local4
    - **Format**: BSD or IETF  
        [![2025-06-19_11-33.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/jm5IZn8oPyzwM6iS-2025-06-19-11-33.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/jm5IZn8oPyzwM6iS-2025-06-19-11-33.png)
4. (Optional) Add a **Filter** to specify:
    
    
    - **Log Type**: Threat, Traffic, System, Config
    - **Severity**: Info, Low, Medium, High, Critical  
        [![levels.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/NFrEro1pXoJSroAi-levels.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/NFrEro1pXoJSroAi-levels.png)
5. Click **OK**

##### <span style="color: rgb(53, 152, 219);">**4.2 Create Log Forwarding Profile**</span>

##### Navigate to: **Objects** &gt; **Log Forwarding**

**[![objects.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/LUCzkkk4DwCi2xW7-objects.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/LUCzkkk4DwCi2xW7-objects.png)**

##### **Steps:**

1. Click **Add** to create a new log forwarding profile.  
    [![add.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/RBWMVx9jxKAdvLnd-add.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/RBWMVx9jxKAdvLnd-add.png)
2. Name it (example: syslog)
3. Under **Log Type**, click **Add** and configure:  
    [![syslog .png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/TsTqOna0GsjIzAsU-syslog.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/TsTqOna0GsjIzAsU-syslog.png)
    
    
    - **Log Type**: Select Threat or Traffic  
        [![traffic.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/cyWcOslLjexb9bjy-traffic.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/cyWcOslLjexb9bjy-traffic.png)
    - **Filter** (optional): For example, (severity eq high)
    - **Forward Method**: Select the Syslog Server Profile you created, click **Add** then select the one you **created**
4. Click **OK  
    [![methof.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/NITyrphhyaMsouws-methof.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/NITyrphhyaMsouws-methof.png)  
    [![okay.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/o8r1tkpKiqn7aHWT-okay.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/o8r1tkpKiqn7aHWT-okay.png)**

##### <span style="color: rgb(53, 152, 219);">**4.3 Apply Log Forwarding to Security Policy**</span>

##### **Navigate to: Policies &gt; Security**

**[![sections.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/w7oQKZI0gBzIvdui-sections.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/w7oQKZI0gBzIvdui-sections.png)**

##### **Steps:**

1. Locate and **edit** the security policy you want to apply logging to.
2. Click the **Actions** tab.
3. In the **Log Forwarding** field, select the log forwarding profile you created.
4. (Optional) Enable logging at session start/end.
5. Click **OK** and then **Commit** your changes.  
    [![fd.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/scaled-1680-/QCZiWwBgPTTVKz7a-fd.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-06/QCZiWwBgPTTVKz7a-fd.png)

Reference Links: [https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring "Palo alto")  
Reference Video: [https://www.youtube.com/watch?v=ftR3DU2MtjY&amp;t=137s](https://www.youtube.com/watch?v=ftR3DU2MtjY&t=137s "syslog system configure")