Overview:
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom formats can be configured under
Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format:
Step 2. Create a log forwarding profile
Go to Objects > Log forwarding. Click Add.
- Name: Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
- Syslog: Select the syslog server profile to specify additional destinations where the traffic log entries are sent.
- Click 'OK' to confirm your configuration.
Your Log Forwarding Profile is now created, as shown in the following example:
Step 3. Use the log forwarding profile in your security policy
Go to Policies > Security
Select the rule for which the log forwarding needs to be applied (Any Allow) in the following example:
Next, go to the Actions tab, select Log Forwarding Profile from the dropdown, and click OK when you are happy with your configuration:
After clicking OK, you will notice the forwarding icon in the 'Options' column of your security rule:
Step 4. Don't forget to commit your changes when you're finished.
Repeat the same steps for threat logs like we did for traffic here.
Reference Link:
Traffic Logs: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRxCAK
Threat Logs: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFfCAK
Verification
Verification can be done either from CCE Server or from UI
Using CCE
Run the command : sudo tcpdump -i any port 514 and host <IP address>
Using UI
Go on UI >> Systems
>>Logs and Flows collection Status
Inside Source device IP the IP will reflect