Palo Alto – How to Create System Log Alerts

byEditorial Team -
0

Palo Alto – How to Create System Log Alerts



We have multiple devices that can go down at any moment and learning were to troubleshoot can become a headache. A great device that can help troubleshoot network issues are built-in system logs. They contain information that can help narrow down the issue or can be used as a proactive measure to fix an issue before it affects the network infrastructure.
We tend to forget that system logs exist until the day something goes wrong. We start by digging around all log events trying to make sense of it. But a better approach to this method would be to send alerts on information that can help you solve the issue via email.
Inside a Palo Alto we have System Log Events that have severity levels:

1.    Critical – Hardware Failure or Link Failure.
2.    High – Dropped Connections to devices.
3.    Medium - Updates, Upgrades, Failed wildfire, Failed Auth
4.    Low – Minor changes to the system
5.    Informational – configuration changes, log in / log off and basic system information.

We can take advantage of the filtering process to send out valuable information like OSPF adjacency drop, Authentication Failure, and Critical Events on the system.

To configure an email message to Outlook or Gmail we must configure the following:
Under Device Tab
1.    Server profile > Email
2.    Log settings

A Post will be created for: how to set up an Email Profile.
Link:

Logging Settings:
Device > Log Settings > System > Add

In the image above, we can see that we have a filter builder. The builder works the same as the traffic monitor. We can filter with conditional operators that help narrow our results. 
You can Use the “View Filtered Logs” Tab to see your results. If you are happy with the results you can add your email profile to the Log Settings page and commit your changes.

Now you can be proactive rather than being reactive.

Here are a few System logs I have setup up in the past that come in handy.

  1. OSPF Adjacency Down
    1. ( subtype eq routing ) and ( eventid eq routed-OSPF-neighbor-down )
  2. OSPF Adjacency Up
    1.  ( subtype eq routing ) and ( eventid eq routed-OSPF-neighbor-full )
  3.  Authentication Failed
    1.  ( subtype eq auth )  and ( eventid eq auth-fail )
  4. Authentication All
    1. ( subtype eq auth )
  5.  Critical System Events
    1.   (severity eq critical)




Thank you,

AzNetAdmin

You may like these posts

Post a Comment

Previous Post Next Post