Hi everyone,
I've deployed a virtual log collector (VLC) into a DMZ and I'm attempting to capture Palo Alto SysLog traffic.
I've followed the instructions via sadocs.emc.com about configuring the event sources but I'm not sure what else is required. The Palo Alto is configured to send it's syslog traffic to the VLC
has anyone else been able to get syslog traffic forwarded to a VLC that might be able to help?
Thanks.
Jeremy, After making the changes on your Palo Alto box, have you confirmed that syslog is being sent? Have you successfully received any other syslog on your VLC?
Try these resources;
How to Forward System Logs to Syslog Server - Live Community
Log Collection Guides - RSA Security Analytics Documentation
I hope this helps...
Jeremy as others have stated check to make sure that you are receiving the syslog from the PA device. You can use tcpdump on the interface you are sending the logs to on the VLC to see if you see the syslog messages filter on port 514. If not then you have an issue on the PA device (or between it and the VLC). If you see the traffic making it to the VLC then you need to validate you have syslog started and make sure you have it configured for the appropriate type which is usually udp port 514. To validate this on the VLC go to config then event sources then select syslog from the drop down box. Under the event categories you should see at least one defined here (there is either syslog-udp, syslog-tcp or both added).
If you have gotten this far and followed the instructions in the links from the other replies then more details would be required in order to help.
Hi Jeremy,
Can you try this KB# https://community.rsa.com/docs/DOC-58534.
Thanks,
Sravan