This article will describe the steps required to configure Palo Alto to send Syslog messages to the RocketAgent Syslog Server
CREATE SYSLOG PROFILE
- Open your Palo Alto dashboard.
- Navigate to Devices > Server Profiles > Syslog
- Click Add and enter a Name for the syslog profile, i.e. RocketCyber SOC syslog
- Server - the IP address of the specified device chosen in the RocketCyber firewall log analyzer
- Transport - select UDP
- Port - the default Palo Alto port is 1514, change this to 514
- Format - select BSD
- Facility - the default standard syslog value should be set to LOG_USER unless facilities have been modified by your FW admin. See more info here: https://live.paloaltonetworks.com/t5/general-topics/log-local/td-p/12122
- Click OK to save the syslog profile
CONFIGURE SYSLOG FORWARDING PROFILE
- Navigate to Objects > Log Forwarding, click Add and Enter a name (common to use the same as above ~ RocketCyber SOC syslog.
- For each log type, severity level and Wildfire verdict, select the syslog server profile, and click OK.
- Assign the log forwarding profile to security rules.
CONFIGURE SECURITY POLICY RULE AS LOG FORWARDING
- Navigate to Policies > Security
- Click the policy desired to be added to the log forwarding.
- Select Actions.
- Select Log Forwarding Profile from dropdown ~RocketCyber SOC syslog
- Click OK
CONFIGURE SYSLOG FORWARDING - for System, Config, and Correlation logs
- Navigate to Device > Log Settings
- For system and correlation logs, select each severity level, select the Syslog server profile, then ok.
- For HIP match, config and correlation logs, select the Edit icon, select the Syslog server profile, then ok
- Commit the changes.