To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format
Step-by-Step Explanation:
Understanding Log Forwarding in PAN-OS:
Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.
Traffic logs can be customized to include additional information that meets the audit or operational requirements.
Syslog Server Profiles:
Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.
These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).
Custom Log Format:
Navigate to Device > Server Profiles > Syslog.
Within the Syslog Server Profile, define a Custom Log Format for traffic logs.
Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.
Field Specification:
In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.
Example:
$receive_time,$src,$dst,$app,$action,$rule
The engineer can include specific details as requested by the audit team.
Comparison of Other Options:
Option B: Built-in Actions within Objects > Log Forwarding Profile
Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.
Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.
Option C: Logging and Reporting Settings within Device > Setup > Management
These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.
Option D: Data Patterns within Objects > Custom Objects
Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.
Why A is Correct?
The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.
This flexibility allows the firewall engineer to meet specific compliance or audit requirements.
Documentation Reference:
PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations​.
PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.
