Strata Logging Service
Start Sending Logs to Strata Logging Service
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
Start Sending Logs to Strata Logging Service
Set up your firewalls to send logs to Strata Logging Service.
Where Can I Use This? | What Do I Need? |
---|---|
| One of these:
|
Before you send logs to Strata Logging Service, you must:
- Install a supported PAN-OS® version
- Activate Strata Logging Service- Activating Strata Logging Service includes provisioning the certificate that the firewalls need to securely connect to Strata Logging Service.
- Onboard firewalls to Strata Logging Service with or without Panorama
After you complete these steps, configure your firewalls to send logs to the service.
You’ll specify the log types you want to forward and also take steps to make sure
that the traffic between the firewall and Strata Logging Service remains
secure. The work flow to send log data to Strata Logging Service differs
based on the log sources:
Log Source | See... |
---|---|
Panorama-managed firewalls | Start Sending Logs to Strata Logging Service (Panorama-Managed) |
Individually managed firewalls | Start Sending Logs to Strata Logging Service (Individually Managed) |
Prisma Access | Configure the Service Infrastructure |
Strata Cloud Manager | Strata Cloud Manager |
Panorama
Learn how to send logs to Strata Logging Service from your Panorama-managed
firewalls.
The following task describes how to start sending logs.
- Specify the log types to send to Strata Logging Service.The way you enable sending depends on the log type. For logs that are generated based on a policy match, use a log forwarding profile within a device group. For other log types, use the Log Settings configuration within a template.
- To configure sending of System, Configuration, User-ID, and HIP Match logs:
- Select DeviceLog Settings.
- Select the Template that contains the firewalls from which you want to send logs to Strata Logging Service.
- For each log type that you want to send to Strata Logging Service, Add a match list filter. Give it a Name, optionally define a Filter, select Panorama/Cloud Logging, and click OK.
To configure sending of all other log types that are generated when a policy match occurs, such as Traffic or Threat logs, create and attach a Log Forwarding profile to each policy rule for which you want to send logs.- Select the Device Group and then select ObjectsLog Forwarding to Add a profile. In the log forwarding profile match list, add each log type that you want to send.(Optional) If you enabled the Enhanced Application Logs feature, then fully Enable enhanced application logs in cloud loggingStrata Logging Service on the firewall to send these log types. When you select this option, match lists that specify the log types required for enhanced application logging are automatically added to the profile.
- Add the log forwarding profile match list for each log type - click Add > Log Forwarding profile Match List and select the log type you want to forward.Select Panorama/Cloud Logging as the Forward Method to enable the firewalls in the device group to send logs so you can monitor the logs and generate reports from Panorama.
- Create basic Security policy rules in the device group.Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, will log only traffic that matches a Security policy rule.
- For each rule you create, select Actions and select the Log Forwarding profile that allows the firewall to send logs to Strata Logging Service.
(PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).- Select NetworkInterfacesEthernet and click Add Interface.Select the Slot and Interface Name.Set the Interface Type to Log Card.Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.Select Advanced and specify the Link Speed, Link Duplex, and Link State.These fields default to auto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended Link Speed for any connection is 1000 (Mbps).Click OK to save your changes.Commit your changes to Panorama and push them to the template and device group you created.Verify that the firewall logs are sent to Strata Logging Service.
- On Panorama 8.1.7 and later releases, select MonitorLogs and review the From Strata Logging Service column to identify whether the logs that you view on Panorama are stored on Strata Logging Service—yes indicates that the logs are saved to Strata Logging Service.Use the CLI command request logging-service-forwarding status for detailed information on the connectivity status to Strata Logging Service and to verify whether you enabled Duplicate Log Forwarding or Enhanced Application Logs.
- On a firewall, enter the CLI command show logging-status:
----------------------------------------------------------------------------------------------------------------------------- Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded ----------------------------------------------------------------------------------------------------------------------------- > CMS 0 Not Sending to CMS 0 > CMS 1 Not Sending to CMS 1 >Log Collection Service 'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx config 2017/07/26 16:33:20 2017/07/26 16:34:09 323 321 2 system 2017/07/31 12:23:10 2017/07/31 12:23:18 13634645 13634637 84831 threat 2014/12/01 14:47:52 2017/07/26 16:34:24 557404252 557404169 93 traffic 2017/07/28 18:03:39 2017/07/28 18:03:50 3619306590 3619306590 1740 hipmatch Not Available Not Available 0 0 0 gtp-tunnel Not Available Not Available 0 0 0 userid Not Available Not Available 0 0 0 auth Not Available Not Available 0 0 0
Look for the ‘Log collection log forwarding agent’ is active and connected to <IP_address> line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.On firewalls running PAN-OS 8.1.7 and later releases, you can Show Status DeviceSetupManagement and click Strata Logging Service) to verify that the firewall is connected and sending logs to Strata Logging Service.
Use the ACC on Panorama to monitor network activity.You can also select MonitorManage Custom Reports and Run Now to generate reports on summary logs.OrLog in to hub and launch Strata Logging Service and click Explore to view the logs.(PAN-OS 10.0.2 or later and Cloud Services Plugin 1.8 or later) Generate scheduled reports on Strata Logging Service data.Archive Strata Logging Service logs by forwarding logs from Strata Logging Service to a Syslog server or email server for long-term storage, SOC, or internal audit.PAN-OS
Follow these steps to send logs from your firewalls to Strata Logging Service.Before you start sending logs to Strata Logging Service, you must:- Onboard firewalls to Strata Logging Service
The following task describes how to start forwarding logs to Strata Logging Service from firewalls that are not managed by Panorama™. You’ll specify the log types you want to forward and also take steps to make sure that the traffic between the firewall and Strata Logging Service remains secure.- In Strata Logging Service app, click Inventory > Firewall and enable store log data if you want to store logs from firewall.Specify the log types to forward to Strata Logging Service.
- To forward System, Configuration, User-ID, and HIP Match logs:
- Select DeviceLog Settings.
- For each log type that you want to forward to Strata Logging Service, Add a match list filter. Give it a Name, optionally define a Filter, select Cloud Logging, and click OK.
To forward log types that are generated when a policy match occurs—Traffic, Threat, WildFire® Submission, URL Filtering, Data Filtering, and Authentication logs—create and attach a Log Forwarding profile to each policy rule for which you want to forward logs.- Select ObjectsLog Forwarding to Add a profile. In the log forwarding profile match list, add each log type that you want to forward.If you enabled the Enhanced Application Logs feature, then fully Enable enhanced application logs to cloud logging on the firewall to forward these log types. When you enable this feature, the match lists that specify the log types required for enhanced application logging are automatically added to the profile.
- Select Cloud Logging as the Forward Method to enable the firewalls in the device group to forward the logs to Strata Logging Service. You can monitor the logs and generate reports from Panorama.
- If you haven’t already done so, create basic Security policy rules.Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, only traffic that matches a Security policy rule will be logged.
- For each rule you create, select Actions and select the Log Forwarding profile that allows the firewall to send logs to Strata Logging Service.
(PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).- Select NetworkInterfacesEthernet and click Add Interface.Select the Slot and Interface Name.Set the Interface Type to Log Card.Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.Select Advanced and specify the Link Speed, Link Duplex, and Link State.These fields default to auto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended Link Speed for any connection is 1000 (Mbps).Click OK to save your changes.Commit your changes.Verify that the firewall logs are forwarded to Strata Logging Service.
- Click theExplore tab in Strata Logging Service app, so that you can view and filter Strata Logging Service logs.
- On a firewall, enter the CLI command request logging-service-forwarding status to view detailed information on the connectivity status to Strata Logging Service:
----------------------------------------------------------------------------------------------------------------------------- Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded ----------------------------------------------------------------------------------------------------------------------------- > CMS 0 Not Sending to CMS 0 > CMS 1 Not Sending to CMS 1 >Log Collection Service 'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx config 2017/07/26 16:33:20 2017/07/26 16:34:09 323 321 2 system 2017/07/31 12:23:10 2017/07/31 12:23:18 13634645 13634637 84831 threat 2014/12/01 14:47:52 2017/07/26 16:34:24 557404252 557404169 93 traffic 2017/07/28 18:03:39 2017/07/28 18:03:50 3619306590 3619306590 1740 hipmatch Not Available Not Available 0 0 0 gtp-tunnel Not Available Not Available 0 0 0 userid Not Available Not Available 0 0 0 auth Not Available Not Available 0 0 0
Look for the ‘Log collection log forwarding agent’ is active and connected to <IP_address> line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.Show Status (DeviceSetupManagement and click Strata Logging Service) to verify that the firewall is connected and sending logs to Strata Logging Service.
Next steps:-
Use Explore tab to search, filter, and export log data. Explore offers you critical visibility into the network activity in your enterprise by enabling you to easily examine network and endpoint log data.
-
Archive Strata Logging Service logs by forwarding logs from Strata Logging Service to a Syslog server or email server for long-term storage, SOC, or internal audit.
Strata Cloud Manager
Send logs from Strata Cloud Manager to Strata Logging ServiceBefore you start sending logs to Strata Logging Service, you must:- Onboard firewalls to Strata Logging Service
The following task describes how to start forwarding logs to Strata Logging Service from firewalls that are managed by Strata Cloud Manager.- Click ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyEdit the Log Settings > Logging in Strata Logging Service and select Log at the Session Start/End depending on your use case. By default all security Policy has Logging to Strata Logging Service enabled, unless you explicitly disabled it.Device logs and EAL logs are forwarded to Strata Logging Service by default.To forward log types that are generated when a policy match occurs—Traffic, Threat, WildFire® Submission, URL Filtering, Data Filtering, and Authentication logs—create a Log Forwarding profile to each policy rule for which you want to forward logs. Click External Log ForwardingCreate New.In the log forwarding profile match list, add each log type that you want to forward.Verify that the firewall logs are forwarded to Strata Logging Service.
- Click the Incidents and Alerts > Log Viewer in Strata Cloud Manager, so that you can view and filter Strata Logging Service logs.