Log Forwarding Profiles
paloalto logging siem panorama
Overview
Log Forwarding Profiles define which logs are forwarded to external destinations (SIEM, syslog, Panorama, email, HTTP).
Log Types
| Log Type | Description | Policy Attachment |
|---|---|---|
| Traffic | Session start/end, bytes, packets | Security rule |
| Threat | Virus, spyware, vulnerability | Security rule |
| URL | Web categories, URLs accessed | Security rule |
| Data | DLP pattern matches | Security rule |
| WildFire | Sandbox analysis verdicts | Security rule |
| Tunnel | GRE, IPSec tunnel inspection | Security rule |
| Auth | Authentication events | Global |
| User-ID | User-to-IP mappings | Global |
| System | System events | Global |
| Config | Configuration changes | Global |
| HIP Match | Host Information Profile | GlobalProtect |
Profile Configuration
CLI - Create Log Forwarding Profile
# Create profile
set shared log-settings profiles <profile-name>
# Add traffic log match
set shared log-settings profiles <profile-name> match-list traffic-all log-type traffic filter "All Logs" send-syslog <syslog-server-profile>
# Add threat log match (critical and high only)
set shared log-settings profiles <profile-name> match-list threats-critical log-type threat filter "(severity eq critical) or (severity eq high)" send-syslog <syslog-server-profile>
# Add URL log match
set shared log-settings profiles <profile-name> match-list url-all log-type url filter "All Logs" send-syslog <syslog-server-profile>Attach to Security Rule
# Attach profile to security rule
set rulebase security rules <rule-name> log-setting <profile-name>
# Enable log at session start (optional, more logs)
set rulebase security rules <rule-name> log-start yes
# Enable log at session end (default, recommended)
set rulebase security rules <rule-name> log-end yesLog Filters
Filter Syntax
(field operator value) and/or (field operator value)
Operators
| Operator | Meaning |
|---|---|
eq | Equal |
neq | Not equal |
lt | Less than |
gt | Greater than |
leq | Less than or equal |
geq | Greater than or equal |
contains | Contains string |
Common Filters
Traffic Logs:
# All traffic
"All Logs"
# Only denied traffic
"(action eq deny)"
# High volume flows
"(bytes gt 1000000)"
# Specific zone
"(from eq trust) and (to eq untrust)"
# Specific application
"(app eq ssh)"Threat Logs:
# Critical and high severity
"(severity eq critical) or (severity eq high)"
# Specific threat types
"(type eq virus)"
"(type eq spyware)"
"(type eq vulnerability)"
# Blocked threats only
"(action eq reset-both) or (action eq drop)"URL Logs:
# Blocked URLs only
"(action eq block)"
# Specific category
"(category eq malware)"
# Multiple categories
"(category eq malware) or (category eq phishing)"Syslog Server Profile
Create Syslog Server Profile
# Create syslog server profile
set shared log-settings syslog <profile-name> server <server-name> server <IP-address>
set shared log-settings syslog <profile-name> server <server-name> port 514
set shared log-settings syslog <profile-name> server <server-name> transport UDP
set shared log-settings syslog <profile-name> server <server-name> format BSD
# For TLS
set shared log-settings syslog <profile-name> server <server-name> transport SSL
set shared log-settings syslog <profile-name> server <server-name> port 6514Syslog Formats
| Format | Description |
|---|---|
| BSD | Traditional syslog (RFC 3164) |
| IETF | Structured syslog (RFC 5424) |
Custom Log Format
# Customize fields sent to syslog
set shared log-settings syslog <profile-name> format traffic <custom-format>Field Variables:
$receive_time$src$dst$sport$dport$app$action$bytes$packets
Panorama Forwarding
Configure Panorama as Log Collector
# Set Panorama address
set deviceconfig system panorama-server <panorama-ip>
set deviceconfig system panorama-server-2 <backup-panorama-ip>
# Enable log forwarding to Panorama
set shared log-settings profiles <profile-name> match-list <match-name> send-to-panorama yesLog Collector Groups (Panorama)
# On Panorama: Create log collector group
set log-collector-group <group-name> logfwd-setting collectors <collector-name>
# Assign firewalls to group
set template <template-name> config deviceconfig system log-collector-group <group-name>HTTP Server Profile (Webhook)
For SIEM integration via HTTP/HTTPS:
# Create HTTP server profile
set shared log-settings http <profile-name> server <server-name> address <URL>
set shared log-settings http <profile-name> server <server-name> protocol HTTPS
set shared log-settings http <profile-name> server <server-name> port 443
set shared log-settings http <profile-name> server <server-name> http-method POSTPayload Format (JSON):
set shared log-settings http <profile-name> format traffic format "$receive_time,$src,$dst,$app,$action"Email Profile
For alert notifications:
# Create email server profile
set shared log-settings email <profile-name> server <server-name> gateway <smtp-server>
set shared log-settings email <profile-name> server <server-name> from firewall@company.com
set shared log-settings email <profile-name> server <server-name> to security@company.comCLI Commands
View Log Forwarding Status
# Show log forwarding profiles
show log-forwarding-profile
# Show syslog server status
show log-interface syslog
# Check logging rate
show logging-status
# Show log statistics
show log-collector statsVerify Connectivity
# Test syslog connectivity
test log-collector connectivity
# Check log queue
debug log-receiver statistics
# Check for drops
show counter global filter delta yes | match logTroubleshooting
Logs Not Forwarding
Check:
# Verify profile attached to rules
show running security-policy | match log-setting
# Check log queue status
show logging-status
# Check network connectivity to syslog server
ping source <mgmt-ip> host <syslog-ip>Common causes:
- Profile not attached to security rule
- Syslog server unreachable (firewall rule, routing)
- Log buffer full
- Filter too restrictive
Log Delays
# Check log buffer
show log-collector buffer
# Check forwarding rate
debug log-receiver statisticsSolutions:
- Increase log buffer
- Add more log collectors
- Reduce log volume (more specific filters)
- Upgrade bandwidth to log server
Enhanced Application Logging (EAL)
Required for Device Security / IoT:
# Enable EAL globally
set deviceconfig setting logging enhanced-application-logging yes
# Enable in log forwarding profile
set shared log-settings profiles <profile-name> enhanced-application-logging yesEAL adds:
- HTTP headers, URLs, user-agents
- DNS queries and responses
- Extended session metadata
Best Practices
- Filter logs - Don’t forward everything; focus on actionable data
- Use multiple destinations - SIEM, Panorama, long-term storage
- Enable EAL - For Device Security and advanced analytics
- Monitor queue - Watch for log drops
- Test forwarding - Verify logs arrive at destination
- Secure transport - Use TLS for syslog when possible
- Log at session end - More complete data than session start