The Palo Alto Networks security platform must generate audit records when successful/unsuccessful attempts to access privileges occur.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-228642	SRG-APP-000091-NDM-000223	PANW-NM-000024	SV-228642r960885_rule	2025-03-12	3

Description
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. By default, the Configuration Log contains the administrator username, client (Web or CLI), and date and time for any changes to configurations and for configuration commit actions. The System Log also shows both successful and unsuccessful attempts for configuration commit actions. The System Log and Configuration Log can be configured to send log messages by severity level to specific destinations; the Panorama management console, an SNMP console, an e-mail server, or a syslog server. Since both the System Log and Configuration Log contain information concerning the use of privileges, both must be configured to send messages to a syslog server at a minimum.

Description

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. By default, the Configuration Log contains the administrator username, client (Web or CLI), and date and time for any changes to configurations and for configuration commit actions. The System Log also shows both successful and unsuccessful attempts for configuration commit actions. The System Log and Configuration Log can be configured to send log messages by severity level to specific destinations; the Panorama management console, an SNMP console, an e-mail server, or a syslog server. Since both the System Log and Configuration Log contain information concerning the use of privileges, both must be configured to send messages to a syslog server at a minimum.

ℹ️ Check
Go to Device >> Log Settings >> System If any severity level does not have a Syslog Profile, this is a finding.

✔️ Fix
Create a syslog server profile. Go to Device >> Server Profiles >> Syslog Select "Add" In the "Syslog Server Profile", enter the name of the profile; select "Add". In the "Servers" tab, enter the required information. Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop down list Select "OK". Go to Device >> Log Settings >> System For each severity level, select which destinations should receive the log messages. Note: The "Syslog Profile" field must be completed. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

✔️ Fix

Create a syslog server profile. Go to Device >> Server Profiles >> Syslog Select "Add" In the "Syslog Server Profile", enter the name of the profile; select "Add". In the "Servers" tab, enter the required information. Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop down list Select "OK". Go to Device >> Log Settings >> System For each severity level, select which destinations should receive the log messages. Note: The "Syslog Profile" field must be completed. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.