5. Configure Syslog
The syslog configuration is really easy, because SNMP traps are automatically handled by rsyslog. So we only need to configure a forwarding rule to tell our new server to resend the log further.
- Edit the rsyslog.conf file:
vi /etc/rsyslog.conf
- At the end of the file, you can find the “### begin forwarding rule ###” section
- First, uncomment these lines (not mandatory, but “nice to have” options):
$ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down
- Next add your Palo Alto allowed User ID interface at the end of the section (the IP on the Palo Alto side that will receive the syslog messages):
*.* @10.1.1.1
ℹ️ *.* means ALL messages type and @ means UDP
- Save and exit vi
- Reload the rsyslog service:
systemctl restart rsyslog
Thanks for this great article. Did you already have time to create your new article avoiding the CentOS server?
Didn’t plan a new article ;-). On the WLC you only need to enable the logging syslog facility client associate option, and on the Palo Alto side you need to create a new Syslog receiver for User-ID.