Good day Team,
Trust you are well!
I have a query for forwarding Global Protect SAML authentication logs to a siem/syslog.We have multiple firewalls that is managed by a panorama .The Panorama acts a log collector and management that forwards these logs to the siem/syslog server.There is a syslog configruation and profile on the panorama that sending the logs for traffic , auth , data, decryption , threat , tunnel url & wildfire that is filtered for "All Logs"
The logs are seen on the siem/syslog server except the global protect client authentication that uses Azure SAML.
We can see idp global protect auth logs in Monitor and System logs but is not forwarding this specific log.
The Global protect secruity rule and amongst the others have the fowarding logs to the profile is enabled.
Is there something we missing ?
Regards
ZeroTrust
Can you see the logs in panorama?
You could try setting up a test forward just for the saml logs to a lab siem to see if you receive them there, You can then also set up packet capture to see if the'yre being sent but maybe "not received" due to a malformation or something...