Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)

5. Configure Syslog

The syslog configuration is really easy, because SNMP traps are automatically handled by rsyslog. So we only need to configure a forwarding rule to tell our new server to resend the log further.

  • Edit the rsyslog.conf file:
vi /etc/rsyslog.conf
  • At the end of the file, you can find the “### begin forwarding rule ###” section
  • First, uncomment these lines (not mandatory, but “nice to have” options):
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
  • Next add your Palo Alto allowed User ID interface at the end of the section (the IP on the Palo Alto side that will receive the syslog messages):
*.* @10.1.1.1

ℹ️ *.* means ALL messages type and @ means UDP

  • Save and exit vi
  • Reload the rsyslog service:
systemctl restart rsyslog

Leave a Reply

Your email address will not be published. Required fields are marked *

*