Selective Log Forwarding Based on Log Attributes
To maximize the efficiency of your incident response and monitoring operations, you can now create custom log forwarding filters based on any log attributes (such as threat type or source user). Instead of forwarding all logs or all logs of specific severity levels, you can use the filters to forward just the information you want to monitor or act on. For example, a security operations analyst who investigates malware attacks might be interested only in Threat logs with the type attribute set to wildfire-virus.
- Configure a server profile for each external service
that will receive logs from the firewall. The profiles define how
the firewall connects to the services.For example, to configure an HTTP server profile, select DeviceServer ProfilesHTTP and Add the profile.
- Select ObjectsLog Forwarding and Add a
Log Forwarding profile to define the destinations for Traffic, Threat,
WildFire Submission, URL Filtering, Data Filtering, Tunnel and Authentication
logs.In each Log Forwarding profile, Add one or more match list profiles to specify log query filters, forwarding destinations, and automatic actions such as tagging.In each match list profile, select FilterFilter Builder and Add filters based on log attributes.
- Assign the Log Forwarding profile to policy rules and
network zones.The firewall generates and forwards logs based on traffic that matches the rules and zones. Security, Authentication, and DoS Protection rules support log forwarding. For example, to assign the profile to a Security rule, select PoliciesSecurity, edit the rule, select Actions, and select the Log Forwarding profile you created.
- Select DeviceLog Settings and configure the destinations for System, Configuration, User-ID, HIP Match, and Correlation logs. For each log type that the firewall will forward, Add one or more match list profiles as you did in the Log Forwarding profile.
- (PA-7000 Series firewalls only) Select NetworkInterfacesEthernet and Add Interface to configure a log card interface for log forwarding.
- Commit your changes.
- Verify the log destinations you configured are receiving
- Email server—Verify that the specified recipients are receiving logs as email notifications.
- Syslog server—Refer to your syslog server documentation to verify it is receiving logs as syslog messages.
- SNMP trap server—Use your SNMP Manager to verify it is receiving logs as SNMP traps .
- HTTP server—Verify that the HTTP destination is receiving logs.