Cortex Data Lake Log Types
Table of Contents
Expand all | Collapse all
-
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
-
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
Cortex
Data Lake Log Types
Cortex
Data Lake
Log TypesYou can store these types of logs in
Cortex
Data Lake
.In the
Cortex
Data Lake
app, you can set how much of your overall log
storage you want to allocate to the following log types:Log Type | Description |
|---|---|
Common Logs | |
config | Configuration logs—entries for
changes to the firewall configuration. |
system | System logs—entries for each
system event on the firewall. |
Firewall Logs | |
auth | Authentication logs—information
about authentication events that occur when end users try to access
network resources for which access is controlled by Authentication Policy rules. |
dns_security | DNS Security Logs —information from two sources:
The DNS Security log data in Cortex
Data Lake
represents only a subset of all DNS requests and responses detected
in your network. To view all malicious DNS requests, check threat .Cortex
Data Lake does not store
dns_security logs automatically. To
begin storing them, you must set quota for
dns_security to a value greater
than 0.The Cortex
Data Lake Estimator does not yet
support DNS Security logs, so you must calculate log storage
manually. The average size of a DNS Security log is
approximately 833 bytes. |
eal | Enhanced application logs—data
that increases visibility into network activity for Palo Alto Networks
apps and services, like Cortex XDR and IoT Security. Cortex
Data Lake only streams these logs to other applications
and does not store them, so they do not use storage space. |
extpcap | Extended packet capture —packet captures
in a proprietary Palo Alto Networks format. The firewall only collects
these if you enable extended capture in Vulnerability
Protection or Anti-Spyware profiles. |
file_data | Data filtering logs—entries
for the security rules that help prevent sensitive information such as
credit card numbers from leaving the area that the firewall protects. |
globalprotect |
|
hipMatch | HIP Match logs—information
about the security status of the end devices accessing your network. |
iptag | IP-Tag logs—how and when
a source IP address is registered or unregistered on the firewall
and what tag the firewall applied to the address. |
sctp | Stream Control Transmission Protol
logs—events and associations based on logs generated by the
firewall while it performs stateful inspection, protocol validation,
and filtering of SCTP traffic. |
threat | Threat logs—entries generated
when traffic matches one of the Security Profiles attached to a
security rule on the firewall. |
traffic | Traffic logs—entries for
the start and end of each session. |
tunnel | Tunnel Inspection logs—entries
of non-encrypted tunnel sessions. |
url | URL Filtering logs—entries
for traffic that matches the URL Filtering profile attached to a
security policy rule. |
userid | User-ID logs—information
about IP address-to-username mappings and Authentication Timestamps,
such as the sources of the mapping information and the times when users
authenticated. |
decryption | Decryption logs—information
about sessions that match a Decryption policy to help you gain context
about that traffic so you can accurately and easily diagnose and resolve
decryption issues. |
ztna_agent | Reserved for future use. |