>
    Start Sending Logs to Strata Logging Service
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Start Sending Logs to Strata Logging Service
    Download PDF
    Strata Logging Service

    Start Sending Logs to Strata Logging Service

    Table of Contents

    Start Sending Logs to Strata Logging Service

    Set up your firewalls to send logs to Strata Logging Service.
    Where Can I Use This?What Do I Need?
    One of these:
    Before you send logs to Strata Logging Service, you must:
    1. Install a supported PAN-OS® version
    2. Activate Strata Logging Service- Activating Strata Logging Service includes provisioning the certificate that the firewalls need to securely connect to Strata Logging Service.
    3. Onboard firewalls to Strata Logging Service with or without Panorama
    After you complete these steps, configure your firewalls to send logs to the service. You’ll specify the log types you want to forward and also take steps to make sure that the traffic between the firewall and Strata Logging Service remains secure. The workflow to send log data to Strata Logging Service differs based on the log sources:
    Log SourceSee...
    Panorama-managed firewallsStart Sending Logs to Strata Logging Service (Panorama-Managed)
    Individually managed firewallsStart Sending Logs to Strata Logging Service (Individually Managed)
    Prisma AccessConfigure the Service Infrastructure
    Strata Cloud ManagerStrata Cloud Manager
    Cortex XDRThe Cortex Administrator’s Guide for your license tier: Pro or Prevent

    Panorama

    Learn how to send logs to Strata Logging Service from your Panorama-managed firewalls.
    The following task describes how to start sending logs.
    1. Specify the log types to send to Strata Logging Service.
      The way you enable sending depends on the log type. For logs that are generated based on a policy match, use a log forwarding profile within a device group. For other log types, use the Log Settings configuration within a template.
      1. To configure sending of System, Configuration, User-ID, and HIP Match logs:
        1. Select DeviceLog Settings.
        2. Select the Template that contains the firewalls from which you want to send logs to Strata Logging Service.
        3. For each log type that you want to send to Strata Logging Service, Add a match list filter. Give it a Name, optionally define a Filter, select Panorama/Cloud Logging, and click OK.
      2. To configure sending of all other log types that are generated when a policy match occurs, such as Traffic or Threat logs, create and attach a Log Forwarding profile to each policy rule for which you want to send logs.
        1. Select the Device Group and then select ObjectsLog Forwarding to Add a profile. In the log forwarding profile match list, add each log type that you want to send.
          (Optional) If you enabled the Enhanced Application Logs feature, then fully Enable enhanced application logs in cloud loggingStrata Logging Service on the firewall to send these log types. When you select this option, match lists that specify the log types required for enhanced application logging are automatically added to the profile.
        2. Add the log forwarding profile match list for each log type - click Add > Log Forwarding profile Match List and select the log type you want to forward.
          Select Panorama/Cloud Logging as the Forward Method to enable the firewalls in the device group to send logs so you can monitor the logs and generate reports from Panorama.
        3. Create basic Security policy rules in the device group.
          Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, will log only traffic that matches a Security policy rule.
        4. For each rule you create, select Actions and select the Log Forwarding profile that allows the firewall to send logs to Strata Logging Service.
    2. (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
      As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).
      1. Select NetworkInterfacesEthernet and click Add Interface.
      2. Select the Slot and Interface Name.
      3. Set the Interface Type to Log Card.
      4. Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.
      5. Select Advanced and specify the Link Speed, Link Duplex, and Link State.
        These fields default to auto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended Link Speed for any connection is 1000 (Mbps).
      6. Click OK to save your changes.
    3. Commit your changes to Panorama and push them to the template and device group you created.
    4. Verify that the firewall logs are sent to Strata Logging Service.
      • On Panorama 8.1.7 and later releases, select MonitorLogs and review the From Strata Logging Service column to identify whether the logs that you view on Panorama are stored on Strata Logging Serviceyes indicates that the logs are saved to Strata Logging Service.
        Use the CLI command request logging-service-forwarding status for detailed information on the connectivity status to Strata Logging Service and to verify whether you enabled Duplicate Log Forwarding or Enhanced Application Logs.
      • On a firewall, enter the CLI command show logging-status:
        -----------------------------------------------------------------------------------------------------------------------------



      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded



-----------------------------------------------------------------------------------------------------------------------------



> CMS 0



        Not Sending to CMS 0



> CMS 1



        Not Sending to CMS 1







>Log Collection Service



'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx







    config   2017/07/26 16:33:20   2017/07/26 16:34:09                      323                 321                        2



    system   2017/07/31 12:23:10   2017/07/31 12:23:18                 13634645            13634637                    84831



    threat   2014/12/01 14:47:52   2017/07/26 16:34:24                557404252           557404169                       93



   traffic   2017/07/28 18:03:39   2017/07/28 18:03:50               3619306590          3619306590                     1740



  hipmatch         Not Available         Not Available                        0                   0                        0



gtp-tunnel         Not Available         Not Available                        0                   0                        0



    userid         Not Available         Not Available                        0                   0                        0



      auth         Not Available         Not Available                        0                   0                        0
        Look for the ‘Log collection log forwarding agent’ is active and connected to <IP_address> line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.
        On firewalls running PAN-OS 8.1.7 and later releases, you can Show Status DeviceSetupManagement and click Strata Logging Service) to verify that the firewall is connected and sending logs to Strata Logging Service.
    5. Use the ACC on Panorama to monitor network activity.
      You can also select MonitorManage Custom Reports and Run Now to generate reports on summary logs.
      Or
      Log in to hub and launch Strata Logging Service and click Explore to view the logs.
    6. (PAN-OS 10.0.2 or later and Cloud Services Plugin 1.8 or later) Generate scheduled reports on Strata Logging Service data.
    7. Archive Strata Logging Service logs by forwarding logs from Strata Logging Service to a Syslog server or email server for long-term storage, SOC, or internal audit.

    PAN-OS

    Follow these steps to send logs from your firewalls to Strata Logging Service.
    Before you start sending logs to Strata Logging Service, you must:
    The following task describes how to start forwarding logs to Strata Logging Service from firewalls that are not managed by Panorama™. You’ll specify the log types you want to forward and also take steps to make sure that the traffic between the firewall and Strata Logging Service remains secure.
    1. In Strata Logging Service app, click Inventory > Firewall and enable store log data if you want to store logs from firewall.
    2. Specify the log types to forward to Strata Logging Service.
      1. To forward System, Configuration, User-ID, and HIP Match logs:
        1. Select DeviceLog Settings.
        2. For each log type that you want to forward to Strata Logging Service, Add a match list filter. Give it a Name, optionally define a Filter, select Cloud Logging, and click OK.
      2. To forward log types that are generated when a policy match occurs—Traffic, Threat, WildFire® Submission, URL Filtering, Data Filtering, and Authentication logs—create and attach a Log Forwarding profile to each policy rule for which you want to forward logs.
        1. Select ObjectsLog Forwarding to Add a profile. In the log forwarding profile match list, add each log type that you want to forward.
          If you enabled the Enhanced Application Logs feature, then fully Enable enhanced application logs to cloud logging on the firewall to forward these log types. When you enable this feature, the match lists that specify the log types required for enhanced application logging are automatically added to the profile.
        2. Select Cloud Logging as the Forward Method to enable the firewalls in the device group to forward the logs to Strata Logging Service. You can monitor the logs and generate reports from Panorama.
        3. If you haven’t already done so, create basic Security policy rules.
          Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, only traffic that matches a Security policy rule will be logged.
        4. For each rule you create, select Actions and select the Log Forwarding profile that allows the firewall to send logs to Strata Logging Service.
    3. (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
      As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).
      1. Select NetworkInterfacesEthernet and click Add Interface.
      2. Select the Slot and Interface Name.
      3. Set the Interface Type to Log Card.
      4. Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.
      5. Select Advanced and specify the Link Speed, Link Duplex, and Link State.
        These fields default to auto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended Link Speed for any connection is 1000 (Mbps).
      6. Click OK to save your changes.
    4. Commit your changes.
    5. Verify that the firewall logs are forwarded to Strata Logging Service.
      • Click theExplore tab in Strata Logging Service app, so that you can view and filter Strata Logging Service logs.
      • On a firewall, enter the CLI command request logging-service-forwarding status to view detailed information on the connectivity status to Strata Logging Service:
        -----------------------------------------------------------------------------------------------------------------------------



      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded



-----------------------------------------------------------------------------------------------------------------------------



> CMS 0



        Not Sending to CMS 0



> CMS 1



        Not Sending to CMS 1







>Log Collection Service



'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx







    config   2017/07/26 16:33:20   2017/07/26 16:34:09                      323                 321                        2



    system   2017/07/31 12:23:10   2017/07/31 12:23:18                 13634645            13634637                    84831



    threat   2014/12/01 14:47:52   2017/07/26 16:34:24                557404252           557404169                       93



   traffic   2017/07/28 18:03:39   2017/07/28 18:03:50               3619306590          3619306590                     1740



  hipmatch         Not Available         Not Available                        0                   0                        0



gtp-tunnel         Not Available         Not Available                        0                   0                        0



    userid         Not Available         Not Available                        0                   0                        0



      auth         Not Available         Not Available                        0                   0                        0
        Look for the ‘Log collection log forwarding agent’ is active and connected to <IP_address> line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.
        Show Status (DeviceSetupManagement and click Strata Logging Service) to verify that the firewall is connected and sending logs to Strata Logging Service.
    6. Next steps:
      • Use Explore tab to search, filter, and export log data. Explore offers you critical visibility into the network activity in your enterprise by enabling you to easily examine network and endpoint log data.
      • Archive Strata Logging Service logs by forwarding logs from Strata Logging Service to a Syslog server or email server for long-term storage, SOC, or internal audit.

    Strata Cloud Manager

    Send logs from Strata Cloud Manager to Strata Logging Service
    Before you start sending logs to Strata Logging Service, you must:
    The following task describes how to start forwarding logs to Strata Logging Service from firewalls that are managed by Strata Cloud Manager.
    1. Click ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy
    2. Edit the Log Settings > Logging in Strata Logging Service and select Log at the Session Start/End depending on your use case. By default all security Policy has Logging to Strata Logging Service enabled, unless you explicitly disabled it.
      Device logs and EAL logs are forwarded to Strata Logging Service by default.
    3. To forward log types that are generated when a policy match occurs—Traffic, Threat, WildFire® Submission, URL Filtering, Data Filtering, and Authentication logs—create a Log Forwarding profile to each policy rule for which you want to forward logs. Click External Log ForwardingCreate New.
    4. In the log forwarding profile match list, add each log type that you want to forward.
    5. Verify that the firewall logs are forwarded to Strata Logging Service.
      • Click the Incidents and Alerts > Log Viewer in Strata Cloud Manager, so that you can view and filter Strata Logging Service logs.

    © 2025 Palo Alto Networks, Inc. All rights reserved.