1.1.1.1 Syslog logging should be configured

Information

Syslog logging is a standard logging protocol that is widely supported. It is recommended for a level 1 deployment only, as syslog does not support encryption.

Rationale:

Sending all system logs to a remote host is recommended to provide protected, long term storage and archiving. This also places a copy of the logs in a second location, in case the primary (on the firewall) logs are compromised. Storing logs on a remote host also allows for more flexible log searches and log processing, as well as many methods of triggering events or scripts based on specific log events or combinations of events. Finally, remote logging provides many organizations with the opportunity to combine logs from disparate infrastructure in a SIEM (Security Information and Event Management) system.

Logging to an external system is also usually required by most regulatory frameworks.

Impact:

Failure to properly store and archive logs for critical infrastructure leaves an organization without the tools required to establish trends in events or activity, or to retrospectively analyze security or operational events beyond the log timespan stored on the firewall. Not having remote logs also puts many organizations outside of compliance with many regulatory frameworks. Finally, not logging to a remote host leaves organizations without recourse in the event of a compromise of logs on the primary device. It is imperative that organizations log critical infrastructure appropriately, store and archive these logs in a central location, and have a robust set of tools to analyze logs both in real time and after the fact.

Solution

Navigate to Device > Server Profiles > Syslog
Choose Add
Assign a Name to the Profile. Choose Add, and assign a server name in the Name field, add an IP address or FQDN in the Syslog Server field. Edit other fields as appropriate for your server.
Repeat if multiple Syslog destinations are required.
Navigate to Device > Log Settings
Under System, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under Configuration, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under User-ID, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under HIP Match (Host Information Profile), add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under IP-Tag, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs

Default Value:

By default no external logging is defined

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-1, 800-53|AU-2, CSCv7|6.2

Plugin: Palo_Alto

Control ID: 1e907c6639c0a5c3acf6897a011c8e16d09182274200def03c5acbc3ae5e94dc