Add a Log Collector to the Panorama™ management server to forward logs from your
managed firewalls for centralized monitoring.
To enable the Panorama management server to
manage a Log Collector, you must add it as a managed collector.
Log Collectors support communication using a public or private IPv4
or IPv6 address only, including when you configure custom certificates
for mutual authentication.
You can add two types of managed
collectors:
Dedicated Log Collector—To set up a new M-700, M-600, M-500, M-300, or M-200 appliance or
a Panorama virtual appliance as a Log Collector to switch an existing
M-Series appliance or Panorama virtual appliance from Panorama mode to Log
Collector mode, you must
Set Up the M-Series Appliance as a Log
Collector. Keep in mind that switching from Panorama Mode to Log
Collector Mode removes the local Log Collector that is predefined on the
M-Series appliance in Panorama mode.
Local Log Collector—A Log Collector can run locally
on a M-700, M-600, M-500, M-300, or M-200 appliance or a Panorama
virtual appliance in Panorama mode. On the M-Series appliances,
the Log Collector is predefined; on the virtual appliance, you must
add the Log Collector. When the Panorama management server has a
high availability (HA) configuration, each HA peer can have a local
Log Collector. However, relative to the primary Panorama, the Log
Collector on the secondary Panorama is remote, not local. Therefore,
to use the Log Collector on the secondary Panorama, you must manually
add it to the primary Panorama (for details, see
Deploy
Panorama M-Series Appliances with Local Log Collectors or
Deploy
Panorama Virtual Appliances with Local Log Collectors). If
you delete a local Log Collector, you can later add it back. The
following steps describe how to add a local Log Collector.
A
device registration authentication key is used to securely authenticate
and connect the Panorama management server and the managed collector
on first connect. To configure the device registration authentication
key, specify the key lifetime and the number of times you can use
the authentication key to onboard new Log Collectors. Additionally,
you can specify one or more Log Collector serial numbers for which
the authentication key is valid.
The authentication key expires
90 days after the key lifetime expires. After 90 days, you are prompted
to re-certify the authentication key to maintain its validity. If
you do not re-certify, then the authentication key becomes invalid.
A system log is generated each time a Log Collector uses the Panorama-generated
authentication key. The Log Collector uses the authentication key
to authenticate Panorama when it delivers the device certificate
that is used for all subsequent communications.
As a best practice, retain a local Log
Collector and Collector Group on the Panorama management server,
regardless whether it manages Dedicated Log Collectors.
For Dedicated Log Collectors running a PAN-OS 10.1 release, Panorama running PAN-OS 11.1 supports
onboarding Dedicated Log Collectors running PAN-OS 10.1.3 or later release only.
You cannot add a Dedicated Log Collector running PAN-OS 10.1.2 or earlier PAN-OS
10.1 release to Panorama management if Panorama is running PAN-OS 11.0.
Panorama supports
onboarding Dedicated Log Collectors running the following releases:
There is no impact to Dedicated Log Collectors already managed by Panorama on upgrade to PAN-OS
10.2 or later release.