Selective Log Forwarding Based on Log Attributes

To maximize the efficiency of your incident response and monitoring operations, you can now create custom log forwarding filters based on any log attributes (such as threat type or source user). Instead of forwarding all logs or all logs of specific severity levels, you can use the filters to forward just the information you want to monitor or act on. For example, a security operations analyst who investigates malware attacks might be interested only in Threat logs with the type attribute set to wildfire-virus.
  1. Configure a server profile for each external service that will receive logs from the firewall. The profiles define how the firewall connects to the services.
    For example, to configure an HTTP server profile, select DeviceServer ProfilesHTTP and Add the profile.
  2. Select ObjectsLog Forwarding and Add a Log Forwarding profile to define the destinations for Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication logs.
    In each Log Forwarding profile, Add one or more match list profiles to specify log query filters, forwarding destinations, and automatic actions such as tagging.
    log_forwarding_and_match_list_profiles.png
    In each match list profile, select FilterFilter Builder and Add filters based on log attributes.
    filter_builder.png
  3. Assign the Log Forwarding profile to policy rules and network zones.
    The firewall generates and forwards logs based on traffic that matches the rules and zones. Security, Authentication, and DoS Protection rules support log forwarding. For example, to assign the profile to a Security rule, select PoliciesSecurity, edit the rule, select Actions, and select the Log Forwarding profile you created.
  4. Select DeviceLog Settings and configure the destinations for System, Configuration, User-ID, HIP Match, and Correlation logs. For each log type that the firewall will forward, Add one or more match list profiles as you did in the Log Forwarding profile.
  5. (PA-7000 Series firewalls only) Select NetworkInterfacesEthernet and Add Interface to configure a log card interface for log forwarding.
  6. Commit your changes.
  7. Verify the log destinations you configured are receiving firewall logs:

Related Documentation