Log Forwarding Profile Configuration Object
Table of Contents
- Log Forwarding Profile Configuration Object
- Table of Contents
- Overview
- Core Methods
- Log Forwarding Profile Model Attributes
- Exceptions
- Basic Configuration
- Usage Examples
- Managing Configuration Changes
- Error Handling
- Best Practices
- Related Modules
Overview
The log_forwarding_profile Ansible module provides functionality to manage Log Forwarding Profile
objects in Palo Alto Networks' Strata Cloud Manager (SCM). Log Forwarding Profiles allow you to
define filtering and forwarding rules for logs generated by the Palo Alto Networks firewalls,
enabling you to selectively forward logs to external systems like SIEM solutions or to Panorama for
centralized logging.
Core Methods
| Method | Description | Parameters | Returned |
|---|---|---|---|
create |
Creates a new log forwarding profile | Log forwarding profile configuration | Log forwarding profile details |
update |
Updates an existing log forwarding profile | Log forwarding profile with modifications | Updated log forwarding profile |
delete |
Removes a log forwarding profile | Log forwarding profile name and container | Status of operation |
fetch |
Gets a log forwarding profile by name | Name and container | Log forwarding profile details |
Log Forwarding Profile Model Attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
str | Yes | Name of the log forwarding profile (max 63 chars) |
description |
str | No | Description of the log forwarding profile |
match_list |
list | Yes (if present) | List of match list configurations for log forwarding |
filter |
list | No | List of filter configurations used by match lists |
folder |
str | One container | The folder in which the profile is defined (max 64 chars) |
snippet |
str | One container | The snippet in which the profile is defined (max 64 chars) |
device |
str | One container | The device in which the profile is defined (max 64 chars) |
Match List Attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
str | Yes | Name of the match list entry |
action |
str | Yes | Action to perform (tagging or forwarding) |
send_http |
list | No | List of HTTP server profiles to use for forwarding |
filter |
str | No | Filter name to apply to this match list |
description |
str | No | Description of the match list entry |
log_type |
str | No | Type of logs to match (traffic, threat, etc.) |
send_to_panorama |
bool | No | Whether to send matching logs to Panorama |
snmp_profiles |
list | No | List of SNMP profiles to use |
email_profiles |
list | No | List of email profiles to use |
syslog_profiles |
list | No | List of syslog profiles to use |
tag |
list | No | List of tags to apply to matching logs |
Filter Attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
str | Yes | Name of the filter |
filter |
str | Yes | Filter expression |
Exceptions
| Exception | Description |
|---|---|
InvalidObjectError |
Invalid log forwarding profile data or format |
NameNotUniqueError |
Log forwarding profile name already exists |
ObjectNotPresentError |
Log forwarding profile not found |
MissingQueryParameterError |
Missing required parameters |
AuthenticationError |
Authentication failed |
ServerError |
Internal server error |
Basic Configuration
The Log Forwarding Profile module requires proper authentication credentials to access the Strata Cloud Manager API.
- name: Basic Log Forwarding Profile Configuration
hosts: localhost
gather_facts: false
vars:
provider:
client_id: "your_client_id"
client_secret: "your_client_secret"
tsg_id: "your_tsg_id"
log_level: "INFO"
tasks:
- name: Ensure a log forwarding profile exists
cdot65.scm.log_forwarding_profile:
provider: "{{ provider }}"
name: "threat-logs-to-siem"
description: "Forward threat logs to SIEM system"
folder: "Shared"
filter:
- name: "critical-threats"
filter: "severity eq critical"
match_list:
- name: "forward-critical-threats"
action: "forwarding"
send_http: ["siem-profile"]
log_type: "threat"
filter: "critical-threats"
send_to_panorama: true
state: "present"
Usage Examples
Creating Log Forwarding Profiles
Log forwarding profiles can contain filters and match lists that define what logs to forward and where to send them.
Basic Log Forwarding Profile
This example creates a simple log forwarding profile with a single filter and match list.
- name: Create a log forwarding profile with filter and match list
cdot65.scm.log_forwarding_profile:
provider: "{{ provider }}"
name: "test-log-profile"
description: "Test log forwarding profile"
folder: "Texas"
filter:
- name: "critical-events"
filter: "severity eq critical"
match_list:
- name: "forward-critical-threats"
action: "forwarding"
send_http: ["secure-profile"]
log_type: "threat"
filter: "critical-events"
send_to_panorama: true
state: "present"
Complex Log Forwarding Profile
This example creates a more complex log forwarding profile with multiple filters and match lists.
- name: Create a complex log forwarding profile
cdot65.scm.log_forwarding_profile:
provider: "{{ provider }}"
name: "comprehensive-log-profile"
description: "Comprehensive log forwarding profile"
folder: "Texas"
filter:
- name: "critical-events"
filter: "severity eq critical"
- name: "warning-events"
filter: "severity eq warning"
- name: "admin-events"
filter: "admin eq true"
match_list:
- name: "forward-critical-threats"
action: "forwarding"
send_http: ["secure-profile"]
log_type: "threat"
filter: "critical-events"
send_to_panorama: true
- name: "tag-warning-events"
action: "tagging"
log_type: "traffic"
filter: "warning-events"
tag: ["warning", "review"]
- name: "forward-admin-events"
action: "forwarding"
send_http: ["admin-profile"]
log_type: "auth"
filter: "admin-events"
send_syslog: ["admin-syslog"]
state: "present"
Updating Log Forwarding Profiles
This example updates an existing log forwarding profile with additional filters and match lists.
- name: Update an existing log forwarding profile
cdot65.scm.log_forwarding_profile:
provider: "{{ provider }}"
name: "test-log-profile"
description: "Updated log forwarding profile"
folder: "Texas"
filter:
- name: "critical-events"
filter: "severity eq critical"
- name: "warning-events"
filter: "severity eq warning"
match_list:
- name: "forward-critical-threats"
action: "forwarding"
send_http: ["secure-profile"]
log_type: "threat"
filter: "critical-events"
send_to_panorama: true
- name: "tag-warning-events"
action: "tagging"
filter: "warning-events"
tag: ["warning", "review"]
state: "present"
Deleting Log Forwarding Profiles
This example removes a log forwarding profile.
- name: Delete a log forwarding profile
cdot65.scm.log_forwarding_profile:
provider: "{{ provider }}"
name: "test-log-profile"
folder: "Texas"
state: "absent"
Managing Configuration Changes
Performing Commits
After creating, updating, or deleting log forwarding profiles, you need to commit your changes to apply them.
- name: Commit changes
cdot65.scm.commit:
provider: "{{ provider }}"
folders: ["Texas"]
description: "Updated log forwarding profiles"
Error Handling
It's important to handle potential errors when working with log forwarding profiles.
- name: Create or update log forwarding profile with error handling
block:
- name: Ensure log forwarding profile exists
cdot65.scm.log_forwarding_profile:
provider: "{{ provider }}"
name: "test-log-profile"
description: "Test log forwarding profile"
folder: "Texas"
filter:
- name: "critical-events"
filter: "severity eq critical"
match_list:
- name: "forward-critical-threats"
action: "forwarding"
send_http: ["secure-profile"]
log_type: "threat"
filter: "critical-events"
send_to_panorama: true
state: "present"
register: profile_result
- name: Commit changes
cdot65.scm.commit:
provider: "{{ provider }}"
folders: ["Texas"]
description: "Updated log forwarding profiles"
rescue:
- name: Handle errors
debug:
msg: "An error occurred: {{ ansible_failed_result.msg }}"
Best Practices
-
Filter Design
-
Create specific, well-defined filters for precise log selection
- Use descriptive filter names that indicate their purpose
- Keep filter expressions simple and focused for better performance
-
Test filter expressions thoroughly before implementing in production
-
Match List Configuration
-
Organize match lists logically based on log types and destinations
- Use descriptive names for match list entries
- Consider the order of match lists as it can affect processing
-
Use the appropriate action (forwarding vs. tagging) based on your requirements
-
Server Profile Management
-
Ensure HTTP server profiles exist before referencing them in log forwarding profiles
- Test connectivity to external servers before enabling forwarding
- Consider server capacity and bandwidth when configuring forwarding
-
Implement proper error handling for server connection issues
-
Performance Considerations
-
Be selective about what logs to forward to reduce network and server load
- Use specific filters rather than broad ones to reduce processing overhead
- Consider the impact of log forwarding on firewall performance
-
Monitor forwarding performance and adjust configurations as needed
-
Security Best Practices
-
Secure transport (SSL/TLS) for forwarded logs when possible
- Limit access to log forwarding configurations
- Regularly review and audit log forwarding settings
-
Implement proper authentication for log receivers
-
Change Management
-
Test changes in a non-production environment before applying to production
- Document all log forwarding configurations and changes
- Use descriptive commit messages when applying changes
- Implement change control procedures for log forwarding modifications
Related Modules
- log_forwarding_profile_info - Retrieve information about log forwarding profiles
- http_server_profiles - Manage HTTP server profiles used in log forwarding
- http_server_profiles_info - Retrieve information about HTTP server profiles
- commit - Commit configuration changes