In an Enterprise network, SASE Orchestrator supports collection of SASE Orchestrator bound events and firewall logs originating from enterprise SD-WAN Edge to one or more centralized remote syslog collectors (Servers), in native syslog format. At the Edge level, you can override the syslog settings specified in the Profile by selecting the Enable Edge Override checkbox.

To override the Syslog settings at the Edge level, perform the following steps.


  • Ensure that Cloud VPN (branch-to-branch VPN settings) is configured for the SD-WAN Edge (from where the SASE Orchestrator bound events are originating) to establish a path between the SD-WAN Edge and the Syslog collectors. For more information, see Configure Cloud VPN for Profiles.


  1. In the SD-WAN Service of the Enterprise portal, go to Configure > Edges. The Edges page displays the existing Edges.
  2. Click the link to an Edge or click the View link in the Device column of the Edge that you want to override.
    The configuration options for the selected Edge are displayed in the Device tab.
  3. From the Segment drop-down menu, select a profile segment to configure syslog settings. By default, Global Segment is selected.
  4. Scroll down to the Telemetry category and go to the Syslog area and select the Override check box.
  5. From the Source Interface drop-down menu, select one of the Edge interface configured in the segment as the source interface.

    When the Edge transmits the traffic, the packet header will have the IP address of the selected source interface, whereas the packets can be sent through any interface based on the destination route.

  6. Override the other syslog settings specified in the Profile associated with the Edge by following the Step 4 in Configure Syslog Settings for Profiles.
  7. Click the + ADD button to add another Syslog collector or else click Save Changes. The syslog settings for the edge will be overridden.
    Note: You can configure a maximum of two Syslog collectors per segment and 10 Syslog collectors per Edge. When the number of configured collectors reaches the maximum allowable limit, the + button will be deactivated.
    Note: Based on the selected role, the edge exports the corresponding logs in the specified severity level to the remote syslog collector. If you want the SASE Orchestrator auto-generated local events to be received at the Syslog collector, you must configure Syslog at the SASE Orchestrator level by using the log.syslog.backend and log.syslog.upload system properties.
    To understand the format of a Syslog message for Firewall logs, see Syslog Message Format for Firewall Logs.

What to do next

On the Firewall page of the Edge configuration, enable the Syslog Forwarding button if you want to forward firewall logs originating from enterprise SD-WAN Edge to configured Syslog collectors.
Note: By default, the Syslog Forwarding button is available on the Firewall page of the Profile or Edge configuration, and is deactivated.

For more information about Firewall settings at the Edge level, see Configure Edge Firewall.