In an Enterprise network, SD-WAN Orchestrator supports collection of SD-WAN Orchestrator bound events and firewall logs originating from enterprise SD-WAN Edges to one or more centralized remote Syslog collectors (Servers), in the native Syslog format. For the Syslog collector to receive SD-WAN Orchestrator bound events and firewall logs from the configured edges in an Enterprise, at the profile level, configure Syslog collector details per segment in the SD-WAN Orchestrator by performing the steps on this procedure.


  • Ensure that Cloud Virtual Private Network (branch-to-branch VPN settings) is configured for the SD-WAN Edge (from where the SD-WAN Orchestrator bound events are originating) to establish a path between the SD-WAN Edge and the Syslog collectors. For more information, see Configure Cloud VPN for Profiles.


  1. From the SD-WAN Orchestrator, go to Configure > Profiles.
    The Configuration Profiles page appears.
  2. Select a profile you want to configure Syslog settings and click the icon under the Device column.
    The Device Settings page for the selected profile appears.
  3. From the Configure Segment drop-down menu, select a profile segment to configure syslog settings. By default, Global Segment [Regular] is selected.
  4. Go to the Syslog Settings area and configure the following details.
    1. From the Facility Code drop-down menu, select a Syslog standard value that maps to how your Syslog server uses the facility field to manage messages for all the events from SD-WAN Edges. The allowed values are from local0 through local7.
      Note: The Facility Code field is configurable only for the Global Segment, even if the Syslog settings is enabled or not for the profile. The other segments will inherit the facility code value from the Global segment.
    2. Select the Syslog Enabled checkbox.
    3. In the IP text box, enter the destination IP address of the Syslog collector.
    4. From the Protocol drop-down menu, select either TCP or UDP as the Syslog protocol.
    5. In the Port text box, enter the port number of the Syslog collector. The default value is 514.
    6. As Edge interfaces are not available at the Profile level, the Source Interface field is set to Auto. The Edge automatically selects an interface with 'Advertise' field set as the source interface.
    7. From the Roles drop-down menu, select one of the following:
      • EDGE EVENT
    8. From the Syslog Level drop-down menu, select the Syslog severity level that need to be configured. For example, If CRITICAL is configured, the SD-WAN Edge will send all the events which are set as either critical or alert or emergency.
      Note: By default, firewall event logs are forwarded with Syslog severity level INFO.

      The allowed Syslog severity levels are:

      • ALERT
      • CRITICAL
      • ERROR
      • WARNING
      • NOTICE
      • INFO
      • DEBUG
    9. Optionally, in the Tag textbox, enter a tag for the syslog. The syslog tag can be used to differentiate the various types of events at the Syslog Collector. The maximum allowed character length is 32, delimited by period.
    10. When configuring a Syslog collector with FIREWALL EVENT or EDGE AND FIREWALL EVENT role, select the All Segments checkbox if want the Syslog collector to receive firewall logs from all the segments. If the checkbox is disabled, the Syslog collector will receive firewall logs only from that particular Segment in which the collector is configured.
      Note: When the role is EDGE EVENT, the Syslog collector configured in any segment will receive Edge event logs by default.
  5. Click the + button to add another Syslog collector or else click Save Changes. The remote syslog collector is configured in SD-WAN Orchestrator.
    Note: You can configure a maximum of two Syslog collectors per segment and 10 Syslog collectors per Edge. When the number of configured collectors reaches the maximum allowable limit, the + button will be disabled.
    Note: Based on the selected role, the edge will export the corresponding logs in the specified severity level to the remote syslog collector. If you want the SD-WAN Orchestrator auto-generated local events to be received at the Syslog collector, you must configure Syslog at the SD-WAN Orchestrator level by using the log.syslog.backend and log.syslog.upload system properties.
    To understand the format of a Syslog message for Firewall logs, see Syslog Message Format for Firewall Logs.

What to do next

SD-WAN Orchestrator allows you to enable Syslog Forwarding feature at the profile and the Edge level. On the Firewall page of the Profile configuration, enable the Syslog Forwarding button if you want to forward firewall logs originating from enterprise SD-WAN Edges to configured Syslog collectors.
Note: By default, the Syslog Forwarding button is available on the Firewall page of the Profile or Edge configuration, and is disabled.

For more information about Firewall settings at the profile level, see Configure Firewall for Profiles.