Log Forwarding Profiles

paloalto logging siem panorama


Overview

Log Forwarding Profiles define which logs are forwarded to external destinations (SIEM, syslog, Panorama, email, HTTP).


Log Types

Log TypeDescriptionPolicy Attachment
TrafficSession start/end, bytes, packetsSecurity rule
ThreatVirus, spyware, vulnerabilitySecurity rule
URLWeb categories, URLs accessedSecurity rule
DataDLP pattern matchesSecurity rule
WildFireSandbox analysis verdictsSecurity rule
TunnelGRE, IPSec tunnel inspectionSecurity rule
AuthAuthentication eventsGlobal
User-IDUser-to-IP mappingsGlobal
SystemSystem eventsGlobal
ConfigConfiguration changesGlobal
HIP MatchHost Information ProfileGlobalProtect

Profile Configuration

CLI - Create Log Forwarding Profile

# Create profile
set shared log-settings profiles <profile-name>
 
# Add traffic log match
set shared log-settings profiles <profile-name> match-list traffic-all log-type traffic filter "All Logs" send-syslog <syslog-server-profile>
 
# Add threat log match (critical and high only)
set shared log-settings profiles <profile-name> match-list threats-critical log-type threat filter "(severity eq critical) or (severity eq high)" send-syslog <syslog-server-profile>
 
# Add URL log match
set shared log-settings profiles <profile-name> match-list url-all log-type url filter "All Logs" send-syslog <syslog-server-profile>

Attach to Security Rule

# Attach profile to security rule
set rulebase security rules <rule-name> log-setting <profile-name>
 
# Enable log at session start (optional, more logs)
set rulebase security rules <rule-name> log-start yes
 
# Enable log at session end (default, recommended)
set rulebase security rules <rule-name> log-end yes

Log Filters

Filter Syntax

(field operator value) and/or (field operator value)

Operators

OperatorMeaning
eqEqual
neqNot equal
ltLess than
gtGreater than
leqLess than or equal
geqGreater than or equal
containsContains string

Common Filters

Traffic Logs:

# All traffic
"All Logs"
 
# Only denied traffic
"(action eq deny)"
 
# High volume flows
"(bytes gt 1000000)"
 
# Specific zone
"(from eq trust) and (to eq untrust)"
 
# Specific application
"(app eq ssh)"

Threat Logs:

# Critical and high severity
"(severity eq critical) or (severity eq high)"
 
# Specific threat types
"(type eq virus)"
"(type eq spyware)"
"(type eq vulnerability)"
 
# Blocked threats only
"(action eq reset-both) or (action eq drop)"

URL Logs:

# Blocked URLs only
"(action eq block)"
 
# Specific category
"(category eq malware)"
 
# Multiple categories
"(category eq malware) or (category eq phishing)"

Syslog Server Profile

Create Syslog Server Profile

# Create syslog server profile
set shared log-settings syslog <profile-name> server <server-name> server <IP-address>
set shared log-settings syslog <profile-name> server <server-name> port 514
set shared log-settings syslog <profile-name> server <server-name> transport UDP
set shared log-settings syslog <profile-name> server <server-name> format BSD
 
# For TLS
set shared log-settings syslog <profile-name> server <server-name> transport SSL
set shared log-settings syslog <profile-name> server <server-name> port 6514

Syslog Formats

FormatDescription
BSDTraditional syslog (RFC 3164)
IETFStructured syslog (RFC 5424)

Custom Log Format

# Customize fields sent to syslog
set shared log-settings syslog <profile-name> format traffic <custom-format>

Field Variables:

  • $receive_time
  • $src
  • $dst
  • $sport
  • $dport
  • $app
  • $action
  • $bytes
  • $packets

Panorama Forwarding

Configure Panorama as Log Collector

# Set Panorama address
set deviceconfig system panorama-server <panorama-ip>
set deviceconfig system panorama-server-2 <backup-panorama-ip>
 
# Enable log forwarding to Panorama
set shared log-settings profiles <profile-name> match-list <match-name> send-to-panorama yes

Log Collector Groups (Panorama)

# On Panorama: Create log collector group
set log-collector-group <group-name> logfwd-setting collectors <collector-name>
 
# Assign firewalls to group
set template <template-name> config deviceconfig system log-collector-group <group-name>

HTTP Server Profile (Webhook)

For SIEM integration via HTTP/HTTPS:

# Create HTTP server profile
set shared log-settings http <profile-name> server <server-name> address <URL>
set shared log-settings http <profile-name> server <server-name> protocol HTTPS
set shared log-settings http <profile-name> server <server-name> port 443
set shared log-settings http <profile-name> server <server-name> http-method POST

Payload Format (JSON):

set shared log-settings http <profile-name> format traffic format "$receive_time,$src,$dst,$app,$action"

Email Profile

For alert notifications:

# Create email server profile
set shared log-settings email <profile-name> server <server-name> gateway <smtp-server>
set shared log-settings email <profile-name> server <server-name> from firewall@company.com
set shared log-settings email <profile-name> server <server-name> to security@company.com

CLI Commands

View Log Forwarding Status

# Show log forwarding profiles
show log-forwarding-profile
 
# Show syslog server status
show log-interface syslog
 
# Check logging rate
show logging-status
 
# Show log statistics
show log-collector stats

Verify Connectivity

# Test syslog connectivity
test log-collector connectivity
 
# Check log queue
debug log-receiver statistics
 
# Check for drops
show counter global filter delta yes | match log

Troubleshooting

Logs Not Forwarding

Check:

# Verify profile attached to rules
show running security-policy | match log-setting
 
# Check log queue status
show logging-status
 
# Check network connectivity to syslog server
ping source <mgmt-ip> host <syslog-ip>

Common causes:

  • Profile not attached to security rule
  • Syslog server unreachable (firewall rule, routing)
  • Log buffer full
  • Filter too restrictive

Log Delays

# Check log buffer
show log-collector buffer
 
# Check forwarding rate
debug log-receiver statistics

Solutions:

  • Increase log buffer
  • Add more log collectors
  • Reduce log volume (more specific filters)
  • Upgrade bandwidth to log server

Enhanced Application Logging (EAL)

Required for Device Security / IoT:

# Enable EAL globally
set deviceconfig setting logging enhanced-application-logging yes
 
# Enable in log forwarding profile
set shared log-settings profiles <profile-name> enhanced-application-logging yes

EAL adds:

  • HTTP headers, URLs, user-agents
  • DNS queries and responses
  • Extended session metadata

Best Practices

  1. Filter logs - Don’t forward everything; focus on actionable data
  2. Use multiple destinations - SIEM, Panorama, long-term storage
  3. Enable EAL - For Device Security and advanced analytics
  4. Monitor queue - Watch for log drops
  5. Test forwarding - Verify logs arrive at destination
  6. Secure transport - Use TLS for syslog when possible
  7. Log at session end - More complete data than session start