In this article:
Configuring Palo Alto Cortex XDR to forward events
To configure log forwarding to syslog follow these steps:
Step 1: Create a server syslog profile
- Under the Device tab, navigate to Server Profiles > Syslog
- Click Add to configure the log destination on the Palo Alto Network. You will need to enter the:
- Name for the syslog server(Case sensitive)
- Syslog server IP address which is Forwarder IP.
- Port number (change the destination port to the port on which logs will be forwarded; it is UDP 11516 by default)
- Format (keep the default log format, BSD)
- The facility of the chronicle system that you want to use as a Syslog server Local6.
Step 2: Create a log forwarding profile.
- Go to Objects > Log forwarding. Click Add.
- Name: Enter a profile name (up to 31 characters).
- Syslog: Select the syslog server profile to specify additional destinations where the traffic log entries are sent.
- Click 'OK' to confirm your configuration.
- Your Log Forwarding Profile is now created, as shown in the following example:
Step 3. Use the log forwarding profile in your security policy
- Go to Policies > Security
- Select the rule for which the log forwarding needs to be applied (Any Allow) in the following example:
- Next, go to the Actions tab, select Log Forwarding Profile from the dropdown, and click OK.
- After clicking OK, you will notice the forwarding icon in the 'Options' column of your security rule:
Step 4. Commit Changes after Configurations.
- Repeat the process for each device which needs to be onboarded to chronicle.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Please sign in to leave a comment.