Scribd
Upload
19 views4 pages

Configure Tracking of Administrator Activity

The document provides a guide on configuring tracking of administrator activity for Panorama management servers, managed firewalls, and Log Collectors. It details the steps required to set up syslog server profiles for forwarding audit logs, which capture navigational actions and operational commands executed by administrators. The audit logs are essential for real-time reporting and security analysis in case of compromised accounts, but they can only be viewed as syslogs and not within the web interface.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views4 pages

Configure Tracking of Administrator Activity

The document provides a guide on configuring tracking of administrator activity for Panorama management servers, managed firewalls, and Log Collectors. It details the steps required to set up syslog server profiles for forwarding audit logs, which capture navigational actions and operational commands executed by administrators. The audit logs are essential for real-time reporting and security analysis in case of compromised accounts, but they can only be viewed as syslogs and not within the web interface.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

(/content/techdocs/en_US.

html)

Updated on Mar 13, 2025

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)


| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/10-1/panorama-admin.html)
| Set Up Panorama (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama.html)
| Set Up Administrative Access to Panorama (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-
administrative-access-to-panorama.html)
| Configure Tracking of Administrator Activity (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-
administrative-access-to-panorama/configure-tracking-of-administrator-activity.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/10-1/PANORAMA-ADMIN/PANORAMA-


ADMIN.PDF)

Panorama Administrator's Guide


(/content/techdocs/en_US/panorama/10-
1/panorama-admin.html)
Configure Tracking of Administrator Activity

Table of Contents

Track administrator activity on the web interface and CLI of your Panorama™ management server, managed firewalls, and Log
Collectors to achieve real time reporting of activity across your deployment. If you have reason to believe an administrator
account is compromised, you have a full history of where this administrator account navigated throughout the web interface
or what operational commands they executed so you can analyze in detail and respond to all actions the compromised
administrator took.

When an event occurs, an audit log is generated and forwarded to the specified syslog server each time an administrator
navigates through the web interface or when an operational command (https://docs.paloaltonetworks.com/pan-os/10-1/pan-
os-cli-quick-start/cli-command-hierarchy-for-pan-os-101/pan-os-101-cli-ops-command-hierarchy.html) is executed in the CLI.
An audit log is generated for each navigation or commend executed. Take for example if you want to create a new address
object. An audit log is generated when you click on Objects, and a second audit log is generated when you then click on

Addresses.

Audit logs are only visible as syslogs forwarded to your syslog server and cannot be viewed in the Panorama or managed
firewall web interface. Audit logs can only be forwarded to a syslog server, cannot be forwarded to Strata Logging Service,
and are not stored locally on the firewall, Panorama, or Log Collector.

STEP 1 -
Configure a syslog server profile to forward audit logs of administrator activity for Panorama, managed
firewalls, and Log Collectors.

This step is required to successfully store audit logs for tracking administrator activity.

A Select Panorama > Server Profiles > Syslog and Add a new syslog server profile.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯ Cookie Settings
(https://www.paloaltonetworks.com/legal-notices/privacy)
B Configure a syslog server profile (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-
admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html).

STEP 2 -
Configure administrator activity tracking for your managed firewalls.

This step is required to successfully store audit logs for tracking administrator activity on managed firewalls.

A Select Device > Setup > Management and edit the Logging and Reporting Settings.

B Configure Tracking of Administrator Activity (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-


admin/firewall-administration/manage-firewall-administrators/configure-tracking-of-administrator-

activity.html).

C Select Commit and Commit and Push.

STEP 3 -
Configure administrator activity tracking for Panorama.

A Select Panorama > Setup > Management and edit the Logging and Reporting Settings.

B Select Log Export and Reporting.

C In the Log Admin Activity section, configure what administrator activity to track.

Operational Commands—Generate an audit log when an administrator executes an operational or debug


command in the CLI or an operational command triggered from the web interface. See the CLI
Operational Command Hierarchy (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-

start/cli-command-hierarchy-for-pan-os-101/pan-os-101-cli-ops-command-hierarchy.html) for a full list


of PAN-OS operational and debug commands.

UI Actions—Generate an audit log when an administrator navigates throughout the web interface. This
includes navigation between configuration tabs, as well as individual objects within a tab. 
For example, an audit log is generated when an administrator navigates from the ACC to the Policies
tab. Additionally, an audit log is generated when an administrator navigates from Objects > Addresses to

Objects > Tags.

Syslog Server—Select a target syslog server profile to forward audit logs.

D Click OK

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
E Select Commit and Commit to Panorama.

STEP 4 -
Configure administrator activity tracking for Log Collectors in a Collector Group.

A Select Panorama > Collector Groups and click a Collector Group.

B Select Audit.

C In the Log Admin Activity section, configure audit tracking for CLI activity.

You can only track CLI activity for Log Collectors because Log Collectors you can only

access Log Collectors through the CLI.

Operational Commands—Generate an audit log when an administrator executes an operational or debug 


command in the CLI. See the CLI Operational Command Hierarchy

(https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/cli-command-hierarchy-for-
pan-os-101/pan-os-101-cli-ops-command-hierarchy.html) for a full list of PAN-OS operational and debug

commands.

Syslog Server—Select a target syslog server profile to forward audit logs.

D Click OK.

E Select Commit and Commit to Panorama.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
Was this information helpful?

Yes No

Previous (/content/techdocs/en_US/panorama/10-
1/panorama-admin/set-up-panorama/set- Next
Configure (/content/techdocs/en_US/panorama/10-
up-administrative-access-to- Set Up
SAML 1/panorama-admin/set-up-panorama/set-
panorama/configure-administrative- Authentication
Authentication accounts-and-authentication/configure- up-authentication-using-custom-
Using Custom
for Panorama saml-authentication-for-panorama- certificates.html)
Certificates
Administrators administrators.html)

Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo


Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
Compatibility Matrix (/content/techdocs/en_US/compatibility- Kno
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)

(/content/techdocs/en_US.html) © 2025 Palo Alto Ne

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)

You might also like