: Configure Log Forwarding from Panorama to External Destinations
Focus
Focus

Configure Log Forwarding from Panorama to External Destinations

Table of Contents

Configure Log Forwarding from Panorama to External Destinations

Panorama enables you to forward logs to external services, including syslog, email, SNMP trap, and HTTP-based services. Using an external service enables you to receive alerts for important events, archive monitored information on systems with dedicated long-term storage, and integrate with third-party security monitoring tools. In addition to forwarding firewall logs, you can forward the logs that the Panorama management server and Log Collectors generate. The Panorama management server or Log Collector that forwards the logs converts them to a format that is appropriate for the destination (syslog message, email notification, SNMP trap, or HTTP payload). Forwarded logs have a maximum log record size of 4,096 bytes. A forwarded log with a log record size larger than the maximum is truncated at 4,096 bytes while logs that do not exceed the maximum log record size are not.-
Log forwarding is supported only for supported log fields. Forwarding logs that contain unsupported log fields or pseudo-fields causes the firewall to crash.
If your Panorama management server is a Panorama virtual appliance in Legacy mode, it converts and forwards logs to external services without using Log Collectors.
You can also forward logs directly from firewalls to external services: see Log Forwarding Options.
On a Panorama virtual appliance running Panorama 5.1 or earlier releases, you can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another Panorama virtual appliance. A Panorama virtual appliance running Panorama 6.0 or later releases, and M-Series appliances running any release, do not support these options because the log database on those models is too large for an export or import to be practical.
To forward logs to external services, start by configuring the firewalls to forward logs to Panorama. Then you must configure the server profiles that define how Panorama and Log Collectors connect to the services. Lastly, you assign the server profiles to the log settings of Panorama and to Collector Groups.
  1. Configure the firewalls to forward logs to Panorama.
  2. Configure a server profile for each external service that will receive log information.
    1. Select
      Panorama
      Server Profiles
      and select the type of server that will receive the log data:
      SNMP Trap
      ,
      Syslog
      ,
      Email
      , or
      HTTP
      .
    2. Configure the server profile:
  3. Configure destinations for:
    • Logs that the Panorama management server and Log Collectors generate.
    • Firewall logs that a Panorama virtual appliance in Legacy mode collects.
    1. Select
      Panorama
      Log Settings
      .
    2. Add
      one or more match list profiles for each log type.
      The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
      1. Enter a
        Name
        to identify the profile.
      2. Select the
        Log Type
        .
      3. In the
        Filter
        drop-down, select
        Filter Builder
        . Specify the following and then
        Add
        each query:
        Connector
        logic (and/or)
        Log
        Attribute
        Operator
        to define inclusion or exclusion logic
        Attribute
        Value
        for the query to match
      4. Add
        the server profiles you configured for each external service.
      5. Click
        OK
        to save the profile.
  4. Configure destinations for firewall logs that Log Collectors receive.
    Each Collector Group can forward logs to different destinations. If the Log Collectors are local to a high availability (HA) pair of Panorama management servers, you must log into each HA peer to configure log forwarding for its Collector Group.
    1. Select
      Panorama
      Collector Groups
      and edit the Collector Group that receives the firewall logs.
    2. (
      Optional, SNMP trap forwarding only
      ) Select
      Monitoring
      and configure the SNMP settings.
    3. Select
      Collector Log Forwarding
      and
      Add
      configured match list profiles as necessary.
    4. Click
      OK
      to save your changes to the Collector Group.
  5. (
    Syslog forwarding only
    ) If the syslog server requires client authentication and the firewalls forward logs to Dedicated Log Collectors, assign a certificate that secures syslog communication over SSL.
    Perform the following steps for each Dedicated Log Collector:
    1. Select
      Panorama
      Managed Collectors
      and edit the Log Collector.
    2. Select the
      Certificate for Secure Syslog
      and click
      OK
      .
  6. (
    SNMP trap forwarding only
    ) Enable your SNMP manager to interpret traps.
    Load the Supported MIBs and, if necessary, compile them. For the specific steps, refer to the documentation of your SNMP manager.
  7. Commit and verify your configuration changes.
    1. Select
      Commit
      Commit and Push
      to commit your changes to Panorama and push the changes to device groups, templates, and Collector Groups.
    2. Verify that the external services are receiving the log information:
      • Email server
        —Verify that the specified recipients are receiving logs as email notifications.
      • Syslog server
        —Refer to the documentation for your syslog server to verify it’s receiving logs as syslog messages.
      • SNMP manager
        —Refer to the documentation for your SNMP trap server to verify it’s receiving logs as SNMP traps.
      • HTTP server
        —Verify that the HTTP-based server is receiving logs in the correct payload format.

Recommended For You