Start Sending Logs to Cortex Data Lake (Panorama-Managed)

Specify the log types to send to Cortex Data Lake.
The way you enable sending depends on the log type. For logs that are generated based on a policy match, use a log forwarding profile within a device group. For other log types, use the Log Settings configuration within a template.
To configure sending of System, Configuration, User-ID, and HIP Match logs:

Select

Device

Log Settings

.

Select the

Template

that contains the firewalls from which you want to send logs to Cortex Data Lake.

For each log type that you want to send to Cortex Data Lake,

Add

a match list filter. Give it a

Name

, optionally define a

Filter

, select

Panorama/Logging Service

, and click

OK

.



To configure sending of all other log types that are generated when a policy match occurs, such as Traffic or Threat logs, create and attach a Log Forwarding profile to each policy rule for which you want to send logs.

Select the

Device Group

and then select

Objects

Log Forwarding

to

Add

a profile. In the log forwarding profile match list, add each log type that you want to send.

If you enabled the Enhanced Application Logs feature, then fully

Enable enhanced application logging to Cortex Data Lake

on the firewall to send these log types. When you select this option, match lists that specify the log types required for enhanced application logging are automatically added to the profile.

Select

Panorama/Cortex Data Lake

as the Forward Method to enable the firewalls in the device group to send logs so you can monitor the logs and generate reports from Panorama.



Create basic Security policy rules in the device group.

Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, will log only traffic that matches a Security policy rule.

For each rule you create, select

Actions

and select the Log Forwarding profile that allows the firewall to send logs to Cortex Data Lake.


(
PA-7000 Series firewalls only
) Configure a log card interface to perform log forwarding.
As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).
Select
Network
Interfaces
Ethernet
and click
Add Interface
.
Select the
Slot
and
Interface Name
.
Set the
Interface Type
to
Log Card
.
Enter the
IP Address
,
Default Gateway
, and (
for IPv4 only
)
Netmask
.
Select
Advanced
and specify the
Link Speed
,
Link Duplex
, and
Link State
.
These fields default to
auto
, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended
Link Speed
for any connection is
1000
(Mbps).
Click
OK
to save your changes.
Commit your changes to Panorama and push them to the template and device group you created.
Verify that the firewall logs are sent to Cortex Data Lake.
On Panorama 8.1.7 and later releases, select
Monitor
Logs
and review the From Logging Service column to identify whether the logs that you view on Panorama are stored on Cortex Data Lake—
yes
indicates that the logs are saved to Cortex Data Lake.

Use the CLI command
request logging-service-forwarding status
for detailed information on the connectivity status to Cortex Data Lake and to verify whether you enabled Duplicate Log Forwarding or Enhanced Application Logs.
On a firewall, enter the CLI command
show logging-status
:
-----------------------------------------------------------------------------------------------------------------------------



      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded



-----------------------------------------------------------------------------------------------------------------------------



> CMS 0



        Not Sending to CMS 0



> CMS 1



        Not Sending to CMS 1







>Log Collection Service



'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx







    config   2017/07/26 16:33:20   2017/07/26 16:34:09                      323                 321                        2



    system   2017/07/31 12:23:10   2017/07/31 12:23:18                 13634645            13634637                    84831



    threat   2014/12/01 14:47:52   2017/07/26 16:34:24                557404252           557404169                       93



   traffic   2017/07/28 18:03:39   2017/07/28 18:03:50               3619306590          3619306590                     1740



  hipmatch         Not Available         Not Available                        0                   0                        0



gtp-tunnel         Not Available         Not Available                        0                   0                        0



    userid         Not Available         Not Available                        0                   0                        0



      auth         Not Available         Not Available                        0                   0                        0
Look for the
‘Log collection log forwarding agent’ is active and connected to <IP_address>
line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.
On firewalls running PAN-OS 8.1.7 and later releases, you can
Show Status
Device
Setup
Management
Cortex Data Lake
) to verify that the firewall is connected and sending logs to Cortex Data Lake.
Use the
ACC
on Panorama to monitor network activity.
You can also select
Monitor
Manage Custom Reports
and
Run Now
to generate reports on summary logs.
(
PAN-OS 10.0.2 or later and Cloud Services Plugin 1.8 or later
) Generate scheduled reports on
Cortex Data Lake
data.
Archive Cortex Data Lake logs by forwarding logs from Cortex Data Lake to a Syslog server or email server for long-term storage, SOC, or internal audit.