How do I configure remote syslog forwarding for Palo Alto firewalls

This article will describe the steps required to configure Palo Alto to send Syslog messages to the RocketAgent Syslog Server


  1. Open your Palo Alto dashboard.
  2. Navigate to Devices > Server Profiles > Syslog
  3. Click Add and enter a Name for the syslog profile, i.e. RocketCyber SOC syslog
  4. Server - the IP address of the specified device chosen in the RocketCyber firewall log analyzer
  5. Transport - select UDP
  6. Port - the default Palo Alto port is 1514, change this to 514
  7. Format - select BSD
  8. Facility - the default standard syslog value should be set to LOG_USER unless facilities have been modified by your FW admin. See more info here:
  9. Click OK to save the syslog profile


  1. Navigate to Objects > Log Forwarding, click Add and Enter a name (common to use the same as above ~ RocketCyber SOC syslog.
  2. For each log type, severity level and Wildfire verdict, select the syslog server profile, and click OK.
  3. Assign the log forwarding profile to security rules.



  1. Navigate to Policies > Security
  2. Click the policy desired to be added to the log forwarding.
  3. Select Actions.
  4. Select Log Forwarding Profile from dropdown ~RocketCyber SOC syslog
  5. Click OK


CONFIGURE SYSLOG FORWARDING - for System, Config, and Correlation logs

  1. Navigate to Device > Log Settings
  2. For system and correlation logs, select each severity level, select the Syslog server profile, then ok.
  3. For HIP match, config and correlation logs, select the Edit icon, select the Syslog server profile, then ok
  4. Commit the changes.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us