Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)

5. Configure Syslog

The syslog configuration is really easy, because SNMP traps are automatically handled by rsyslog. So we only need to configure a forwarding rule to tell our new server to resend the log further.

  • Edit the rsyslog.conf file:
vi /etc/rsyslog.conf
  • At the end of the file, you can find the “### begin forwarding rule ###” section
  • First, uncomment these lines (not mandatory, but “nice to have” options):
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
  • Next add your Palo Alto allowed User ID interface at the end of the section (the IP on the Palo Alto side that will receive the syslog messages):
*.* @10.1.1.1

ℹ️ *.* means ALL messages type and @ means UDP

  • Save and exit vi
  • Reload the rsyslog service:
systemctl restart rsyslog

2 Replies to “Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)”

  1. Thanks for this great article. Did you already have time to create your new article avoiding the CentOS server?

    • Didn’t plan a new article ;-). On the WLC you only need to enable the logging syslog facility client associate option, and on the Palo Alto side you need to create a new Syslog receiver for User-ID.

Leave a Reply

Your email address will not be published. Required fields are marked *

*