Start Sending Logs to Cortex Data Lake (Panorama-Managed)

Learn how to send logs to Cortex Data Lake from your Panorama-managed firewalls.
To send logs from Panorama™-managed firewalls to Cortex™ Data Lake, you must:Activating Cortex Data Lake includes provisioning the certificate that the firewalls need to securely connect to Cortex Data Lake. Only after you activate Cortex Data Lake can you enable Panorama-managed firewalls to send logs.
The following task describes how to start sending logs. First, you’ll enable firewalls to communicate with Cortex Data Lake and then you can specify the log types that you want to send. You can then use Panorama device groups and templates to push these settings to managed firewalls.
If you’re using:
  • Firewalls without Panorama
    —To send logs to Cortex Data Lake from firewalls that are not managed by Panorama, follow these steps instead.
  • Cortex XDR
    —To enable Cortex XDR to send logs to Pro or Prevent.
How you activate and implement Cortex Data Lake varies depending on the products and services you’re using. Learn more about how to get started with Cortex Data Lake based on the products you’re using.
  1. Specify the log types to send to Cortex Data Lake.
    The way you enable sending depends on the log type. For logs that are generated based on a policy match, use a log forwarding profile within a device group. For other log types, use the Log Settings configuration within a template.
    1. To configure sending of System, Configuration, User-ID, and HIP Match logs:
      1. Select
        Device
        Log Settings
        .
      2. Select the
        Template
        that contains the firewalls from which you want to send logs to Cortex Data Lake.
      3. For each log type that you want to send to Cortex Data Lake,
        Add
        a match list filter. Give it a
        Name
        , optionally define a
        Filter
        , select
        Panorama/Logging Service
        , and click
        OK
        .
    2. To configure sending of all other log types that are generated when a policy match occurs, such as Traffic or Threat logs, create and attach a Log Forwarding profile to each policy rule for which you want to send logs.
      1. Select the
        Device Group
        and then select
        Objects
        Log Forwarding
        to
        Add
        a profile. In the log forwarding profile match list, add each log type that you want to send.
        If you enabled the Enhanced Application Logs feature, then fully
        Enable enhanced application logging to Cortex Data Lake
        on the firewall to send these log types. When you select this option, match lists that specify the log types required for enhanced application logging are automatically added to the profile.
      2. Select
        Panorama/Cortex Data Lake
        as the Forward Method to enable the firewalls in the device group to send logs so you can monitor the logs and generate reports from Panorama.
      3. Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, will log only traffic that matches a Security policy rule.
      4. For each rule you create, select
        Actions
        and select the Log Forwarding profile that allows the firewall to send logs to Cortex Data Lake.
  2. Commit your changes to Panorama and push them to the template and device group you created.
  3. Verify that the firewall logs are sent to Cortex Data Lake.
    • On Panorama 8.1.7 and later releases, select
      Monitor
      Logs
      and review the From Logging Service column to identify whether the logs that you view on Panorama are stored on Cortex Data Lake—
      yes
      indicates that the logs are saved to Cortex Data Lake.
      Use the CLI command
      request logging-service-forwarding status
      for detailed information on the connectivity status to Cortex Data Lake and to verify whether you enabled Duplicate Log Forwarding or Enhanced Application Logs.
    • On a firewall, enter the CLI command
      show logging-status
      :
      ----------------------------------------------------------------------------------------------------------------------------- Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded ----------------------------------------------------------------------------------------------------------------------------- > CMS 0 Not Sending to CMS 0 > CMS 1 Not Sending to CMS 1 >Log Collection Service 'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx config 2017/07/26 16:33:20 2017/07/26 16:34:09 323 321 2 system 2017/07/31 12:23:10 2017/07/31 12:23:18 13634645 13634637 84831 threat 2014/12/01 14:47:52 2017/07/26 16:34:24 557404252 557404169 93 traffic 2017/07/28 18:03:39 2017/07/28 18:03:50 3619306590 3619306590 1740 hipmatch Not Available Not Available 0 0 0 gtp-tunnel Not Available Not Available 0 0 0 userid Not Available Not Available 0 0 0 auth Not Available Not Available 0 0 0
      Look for the
      ‘Log collection log forwarding agent’ is active and connected to <IP_address>
      line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.
      On firewalls running PAN-OS 8.1.7 and later releases, you can
      Show Status
      Device
      Setup
      Management
      Cortex Data Lake
      ) to verify that the firewall is connected and sending logs to Cortex Data Lake.
  4. Use the
    ACC
    on Panorama to monitor network activity.
    You can also use
    Monitor
    Manage Custom Reports
    and
    Run Now
    to generate reports on summary logs. You cannot generate scheduled reports or generate reports on detailed logs stored on Cortex Data Lake.
  5. Archive Cortex Data Lake logs by forwarding logs from Cortex Data Lake to a Syslog server or email server for long-term storage, SOC, or internal audit.

Recommended For You