Customize Logging and Reporting Settings in PAN-OS

Palo Alto Networks firewalls provide flexible options to customize logging and reporting to meet operational, security, and compliance needs. The configuration can be tailored for log storage quotas, expiration periods, scheduling, formatting, and export methods.

1. Log Storage Quotas and Expiration

Navigate to Device > Setup > Management and edit Logging and Reporting Settings .
Select the Log Storage tab.
Define quotas per log type (as % of total storage).
Set maximum retention (Max Days) per log type (1–2000 days).

Note: When quota is reached, old logs are deleted even without expiration period settings. HA pairs sync expiration settings:contentReference[oaicite:0]{index=0}.

2. Customize Report Settings

Access via Device > Setup > Management > Logging and Reporting Settings .
Set Report Runtime (default 02:00 daily).
Set Report Expiration Period (in days; default: none):contentReference[oaicite:1]{index=1}.

3. Manage Predefined and Custom Reports

Disable unused predefined reports to save resources: Device > Setup > Management > Pre-Defined Reports .
Create custom reports via Monitor > Reports > Custom Reports .
Schedule reports for email via Monitor > PDF Reports .

4. Export and Email Logs

Export logs in CSV, PDF, XML formats from Monitor > Logs .
Filter and export traffic logs by date/time range.
Schedule exports to FTP/SCP: Device > Scheduled Log Export .
Send email alerts using Log Forwarding Profiles assigned to security rules:contentReference[oaicite:2]{index=2}.

5. Create and Manage Log Forwarding Profiles

Navigate to Objects > Log Forwarding .
Create a profile specifying log type and severity.
Assign it to policies under Policies > Security > Actions .

6. Customize Syslog and Email Log Format

Create Syslog Server Profiles via Device > Server Profiles > Syslog .
Customize log headers under Device > Setup > Management .
For email logs, define Email Server Profiles with optional custom format:contentReference[oaicite:3]{index=3}.

7. GlobalProtect Log Collection Settings

Enable GlobalProtect app log collection under Portal > Agent > App .
Send logs to Strata Logging Service for diagnostics.
Set up autonomous DEM for proactive insights:contentReference[oaicite:4]{index=4}.

8. Useful Report Types for PCNSE

Application Reports : Traffic per app.
Threat Reports : Top attackers, exploit vectors.
URL Reports : Web usage patterns.
Botnet Reports : Detect compromised hosts.

Mermaid Flow Diagram: Logging Workflow

graph TD A[Traffic Matching Policy] --> B{Log Setting Enabled?} B -- Yes --> C[Generate Log Entry] C --> D{Log Forwarding Profile?} D -- Yes --> E[Forward to Syslog/Email/Collector] D -- No --> F[Store in Local Log DB] F --> G[Viewable via Monitor > Logs]

Mermaid Sequence Diagram: Report Lifecycle

sequenceDiagram participant Admin participant Firewall participant LogStorage participant EmailServer Admin->>Firewall: Schedule Report Firewall->>LogStorage: Generate Report at Runtime LogStorage->>Firewall: Return Report Firewall-->>Admin: View/Export Report Firewall->>EmailServer: Send Report (Scheduled)