Focus

Strata Logging Service

Forward Logs to Amazon S3 Bucket

Table of Contents

Forward Logs to Amazon Security Lake

Forward Logs to Snowflake

Forward Logs to AWS S3 Bucket

Learn how to forward logs from the

Strata Logging Service

to an Amazon Simple Storage Service (S3).

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by PAN-OS or Panorama) NGFW (Managed by Strata Cloud Manager)	`Strata Logging Service` You must have at least one of these licenses to use Strata Cloud Manager :`Prisma Access`, AIOps for NGFW Premium , Prisma SD-WAN Amazon S3 bucket is created and configured An IAM role with write access to Amazon S3 bucket

Configure the

Strata Logging Service

to forward browser logs, events, device attributes, and audit logs (for example, Prisma Access Browser data) in the

Strata Logging Service

to the AWS S3 bucket. This integration enables you to make use of the beneficial features that both

Strata Logging Service

and Amazon S3 offer for log management.

Strata Logging Service

forwards logs to AWS S3 in JSON format. The log file is compressed using Snappy before forwarding it.

Create and configure the Amazon S3 bucket in the AWS Management Console.

Enable communication between

Strata Logging Service

and your AWS S3 bucket.

to the hub.

Select the

Strata Logging Service

instance that you want to configure for log forwarding.

If you have multiple

Strata Logging Service

instances, click the

Strata Logging Service

tile and select an instance from the list of those available.

If you're using

Strata Cloud Manager

to manage

Strata Logging Service

, click

Settings

Strata Logging Service

Log Forwarding

forward logs to an external server.

Select

Log Forwarding

AWS S3

to add a new Amazon S3 profile in

Strata Logging Service

Configure the log forwarding profile to forward logs to the AWS S3 bucket.

Enter a descriptive

Name

for the profile.

Enter the name of the Amazon S3 configured bucket that is used as the storage container for your forwarded log data. You can get the name from the Amazon Console.

Enter the geographic region (regional code) where the Amazon S3 bucket is located.

Select the external identification method to authenticate the Amazon S3 bucket.

IAM Role

IAM Role ARN

- The Amazon Resource Names (ARN) of the role that has access to the Amazon S3 bucket. The IAM Role ARN needs to be in the following format:

arn:partition:service:region:account-id:resource-type:resource-id

External ID

- The external identifier that you defined while linking the IAM role to your Amazon account.

Access Key

- If you have created a long-term access key to authenticate your AWS account, enter the key and secret password here.

To create an access key for the Amazon S3 bucket:

On the Console Home
page, select the IAM service.

Select Users
and then select Create user
from the navigation pane.

On the Specify user details
page, enter the name for the new user.

Do not select

Provide user access to the – AWS Management Console

and click

Set

Permissions

for the user. Here is a sample of the JSON code to set the permission boundaries in the policy:

{
    "Version": "2012-10-17",
    "Statement": [ 
        {
           "Effect": "Allow",
           "Action": "s3:PutObject",
           "Resource": [
               "arn:aws:s3:::DOC-EXAMPLE-BUCKET1",
               "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*"
              ]
          }
       ]
}

Review the selection and create the user.

In the Summary
page, select

Security credentials > Create Access Key

Select the

Third-party service

option as the reason for enabling the access key and confirm the recommendation to create the access key.

Retrieve the access key and use it while configuring the log forwarding.

Test Connection

to ensure that the

Strata Logging Service

can communicate with the receiver.

This sends an empty log to the sls_test_events folder in the configured destination to verify that transmission is possible.

If the test fails, you won't be able to proceed.

Click

Specify the Payload Format
as JSON - the log format in which the

Strata Logging Service

forwards logs.

(Optional) To receive a STATUS NOTIFICATION
when the

Strata Logging Service

is unable to connect to the Amazon S3 bucket, enter the email address at which you’d like to receive the notification.

You will continue to receive these notifications at least once every 60 minutes until connectivity is restored. If the connectivity issue is addressed within 72 hours, no logs will be lost. However, service disconnection could lead to the loss of any logs older than 72 hour.

Add

the type of log you want to forward and optionally write a query to create filter to forward only the logs that are most critical to you.

Save

your changes

If you want to forward all logs of the type you selected, do not enter a query.

Save

your changes.

Verify that the

Status

of your forwarding profile is

Running

(

Verify if the logs are forwarded to the destination location. This is a sample path:

/Amazon S3 bucket location > folder name > logsource.logtype > year > month > date

(Optional) You can use the running Amazon S3 forwarding profile to forward past logs spanning up to 3 days.

Forward Logs to Amazon Security Lake

Forward Logs to Snowflake

Forward Logs to Amazon S3 Bucket

Forward Logs to AWS S3 Bucket

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Agents & Agentless

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner