Strata Logging Service
Start Sending Logs to Strata Logging Service
Table of Contents
Start Sending Logs to Strata Logging Service
Strata Logging Service
Set up your firewalls to send logs to
Strata Logging Service
.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Before you send logs to
Strata Logging Service
, you must:- Install a supported PAN-OS® version
- Activate- ActivatingStrata Logging ServiceStrata Logging Serviceincludes provisioning the certificate that the firewalls need to securely connect toStrata Logging Service.
- Onboard firewalls toStrata Logging Servicewith or without Panorama
After you complete these steps, configure your firewalls to send logs to the service.
You’ll specify the log types you want to forward and also take steps to make sure
that the traffic between the firewall and
Strata Logging Service
remains
secure. The work flow to send log data to Strata Logging Service
differs
based on the log sources:Log Source | See... |
|---|---|
Panorama-managed firewalls | |
Individually managed firewalls | |
Prisma Access | |
Panorama
Learn how to send logs to
Strata Logging Service
from your Panorama-managed
firewalls.The following task describes how to start sending logs.
- Specify the log types to send toStrata Logging Service.The way you enable sending depends on the log type. For logs that are generated based on a policy match, use a log forwarding profile within a device group. For other log types, use the Log Settings configuration within a template.
- To configure sending of System, Configuration, User-ID, and HIP Match logs:
- Select .
- Select theTemplatethat contains the firewalls from which you want to send logs toStrata Logging Service.
- For each log type that you want to send toStrata Logging Service,Adda match list filter. Give it aName, optionally define aFilter, selectPanorama/Logging Service, and clickOK.
- To configure sending of all other log types that are generated when a policy match occurs, such as Traffic or Threat logs, create and attach a Log Forwarding profile to each policy rule for which you want to send logs.
- Select theDevice Groupand then select toAdda profile. In the log forwarding profile match list, add each log type that you want to send.If you enabled the Enhanced Application Logs feature, then fullyEnable enhanced application logging toStrata Logging Serviceon the firewall to send these log types. When you select this option, match lists that specify the log types required for enhanced application logging are automatically added to the profile.
- SelectPanorama/as the Forward Method to enable the firewalls in the device group to send logs so you can monitor the logs and generate reports from Panorama.Strata Logging Service
- Create basic Security policy rules in the device group.Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, will log only traffic that matches a Security policy rule.
- For each rule you create, selectActionsand select the Log Forwarding profile that allows the firewall to send logs toStrata Logging Service.
- (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).
- Select and clickAdd Interface.
- Select theSlotandInterface Name.
- Set theInterface TypetoLog Card.
- Enter theIP Address,Default Gateway, and (for IPv4 only)Netmask.
- SelectAdvancedand specify theLink Speed,Link Duplex, andLink State.These fields default toauto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommendedLink Speedfor any connection is1000(Mbps).
- ClickOKto save your changes.
- Commit your changes to Panorama and push them to the template and device group you created.
- Verify that the firewall logs are sent toStrata Logging Service.
- On Panorama 8.1.7 and later releases, select and review the From Logging Service column to identify whether the logs that you view on Panorama are stored onStrata Logging Service—yesindicates that the logs are saved toStrata Logging Service.
Use the CLI commandrequest logging-service-forwarding statusfor detailed information on the connectivity status toStrata Logging Serviceand to verify whether you enabled Duplicate Log Forwarding or Enhanced Application Logs. - On a firewall, enter the CLI commandshow logging-status:
Look for the----------------------------------------------------------------------------------------------------------------------------- Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded ----------------------------------------------------------------------------------------------------------------------------- > CMS 0 Not Sending to CMS 0 > CMS 1 Not Sending to CMS 1 >Log Collection Service 'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx config 2017/07/26 16:33:20 2017/07/26 16:34:09 323 321 2 system 2017/07/31 12:23:10 2017/07/31 12:23:18 13634645 13634637 84831 threat 2014/12/01 14:47:52 2017/07/26 16:34:24 557404252 557404169 93 traffic 2017/07/28 18:03:39 2017/07/28 18:03:50 3619306590 3619306590 1740 hipmatch Not Available Not Available 0 0 0 gtp-tunnel Not Available Not Available 0 0 0 userid Not Available Not Available 0 0 0 auth Not Available Not Available 0 0 0‘Log collection log forwarding agent’ is active and connected to <IP_address>line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.On firewalls running PAN-OS 8.1.7 and later releases, you canShow Statusand clickStrata Logging Service) to verify that the firewall is connected and sending logs toStrata Logging Service.
- Use theACCon Panorama to monitor network activity.You can also select andRun Nowto generate reports on summary logs.
- (PAN-OS 10.0.2 or later and Cloud Services Plugin 1.8 or later) Generate scheduled reports onStrata Logging Servicedata.
- ArchiveStrata Logging Servicelogs by forwarding logs from to a Syslog server or email server for long-term storage, SOC, or internal audit.
Firewalls
Follow these steps to send logs from your firewalls to
Strata Logging Service
.Before you start sending logs to Cortex™ Data Lake, you must:
The following task describes how to start forwarding logs to
Strata Logging Service
from firewalls that are not managed by Panorama™.
You’ll specify the log types you want to forward and also take steps to make sure
that the traffic between the firewall and Strata Logging Service
remains
secure.- If you haven’t done so already,ActivateandStrata Logging Serviceonboard firewalls to.Strata Logging Service
- InStrata Logging Serviceapp, clickInventory > Firewalland enablestore log dataif you want to store logs from firewall.
- Specify the log types to forward toStrata Logging Service.
- To forward System, Configuration, User-ID, and HIP Match logs:
- Select .
- For each log type that you want to forward toStrata Logging Service,Adda match list filter. Give it aName, optionally define aFilter, selectLogging Service, and clickOK.
- To forward log types that are generated when a policy match occurs—Traffic, Threat, WildFire®Submission, URL Filtering, Data Filtering, and Authentication logs—create and attach a Log Forwarding profile to each policy rule for which you want to forward logs.
- Select toAdda profile. In the log forwarding profile match list, add each log type that you want to forward.If you enabled the Enhanced Application Logs feature, then fullyEnable enhanced application logging toStrata Logging Serviceon the firewall to forward these log types. When you enable this feature, the match lists that specify the log types required for enhanced application logging are automatically added to the profile.
- SelectLogging Serviceas the Forward Method to enable the firewalls in the device group to forward the logs toStrata Logging Service. You can monitor the logs and generate reports from Panorama.
- If you haven’t already done so, create basic Security policy rules.Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, only traffic that matches a Security policy rule will be logged.
- For each rule you create, selectActionsand select the Log Forwarding profile that allows the firewall to send logs toStrata Logging Service.
- (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).
- Select and clickAdd Interface.
- Select theSlotandInterface Name.
- Set theInterface TypetoLog Card.
- Enter theIP Address,Default Gateway, and (for IPv4 only)Netmask.
- SelectAdvancedand specify theLink Speed,Link Duplex, andLink State.These fields default toauto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommendedLink Speedfor any connection is1000(Mbps).
- ClickOKto save your changes.
- Commityour changes.
- Verify that the firewall logs are forwarded toStrata Logging Service.
- Click theExplore tab inStrata Logging Serviceapp, so that you can view and filterStrata Logging Servicelogs.
- On a firewall, enter the CLI commandrequest logging-service-forwarding statusto view detailed information on the connectivity status toStrata Logging Service:
Look for the----------------------------------------------------------------------------------------------------------------------------- Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded ----------------------------------------------------------------------------------------------------------------------------- > CMS 0 Not Sending to CMS 0 > CMS 1 Not Sending to CMS 1 >Log Collection Service 'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx config 2017/07/26 16:33:20 2017/07/26 16:34:09 323 321 2 system 2017/07/31 12:23:10 2017/07/31 12:23:18 13634645 13634637 84831 threat 2014/12/01 14:47:52 2017/07/26 16:34:24 557404252 557404169 93 traffic 2017/07/28 18:03:39 2017/07/28 18:03:50 3619306590 3619306590 1740 hipmatch Not Available Not Available 0 0 0 gtp-tunnel Not Available Not Available 0 0 0 userid Not Available Not Available 0 0 0 auth Not Available Not Available 0 0 0‘Log collection log forwarding agent’ is active and connected to <IP_address>line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.Show Status( and clickStrata Logging Service) to verify that the firewall is connected and sending logs toStrata Logging Service.
- Next steps:
- Use Explore tab to search, filter, and export log data. Explore offers you critical visibility into the network activity in your enterprise by enabling you to easily examine network and endpoint log data.
- ArchiveStrata Logging Servicelogs byforwarding logs fromto a Syslog server or email server for long-term storage, SOC, or internal audit.Strata Logging Service