Forward Logs from Cortex Data Lake to a Syslog Server
Table of Contents
Expand all | Collapse all
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
Forward Logs from Cortex
Data Lake to a Syslog Server
Cortex Data Laketo a Syslog Server
Learn how to forward logs from
Cortex Data Laketo a syslog server.
To meet your long-term storage, reporting and monitoring, or legal and compliance needs, you can configure
Cortex Data Laketo forward all logs or a subset of logs to a syslog receiver.
Cortex Data Lakecan forward logs in multiple formats:
CSV, LEEF, or CEF. For each instance of
Cortex Data Lake, you can forward logs to up to 200 syslog destinations.
Cortex Data Lakecommunicates with the receiver using TLS 1.2 and Java 8 default cipher suites (except GCM ciphers, which
Cortex Data Lakedoes not currently support). Upon connection,
Cortex Data Lakevalidates that the receiver has a certificate signed by a trusted root CA or a private CA. To complete the TLS handshake and establish the connection, the receiver must present all the certificates from the chain of trust.
- (QRadar only) Add a log source in QRadar by using the TLS Syslog protocol.
- Enable communication betweenCortex Data Lakeand your syslog receiver.Ensure that your syslog receiver can connect toCortex Data Lakeand can present a valid CA certificate to complete the connection request.
- Obtain either a certificate from a well-known, public CA or a self-signed certificate and install it on your receiver. Please make sure that if you are using a certificate signed by a private CA, it contains CRL or OCSP information needed for certificate revocation checks.BecauseCortex Data Lakevalidates the server certificate to establish a connection, you must verify that the receiver is configured to properly send the TLS certificate chain toCortex Data Lake. If the app cannot verify that the certificate of the receiver and all CAs in the chain are trustworthy, the connection cannot be established. See the list of trusted certificates.
- Sign Into the hub at https://apps.paloaltonetworks.com/.
- Select theCortex Data Lakeinstance that you want to configure for syslog forwarding.If you have multipleCortex Data Lakeinstances, click theCortex Data Laketile and select an instance from the list of those available.
- Selectto add a new Syslog forwarding profile.Log ForwardingAdd
- Enter a descriptiveNamefor the profile.
- Enter theSyslog ServerIPv4 address or FQDN.Ensure that the value entered here matches the Subject Alternative Name (SAN) of the certificate installed on your syslog server.
- Enter thePorton which the syslog server is listening.The default port for syslog messages over TLS is 6514.
- Select theFacility.Choose one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see the IETF standard for the log format (CSV, LEEF, or CEF) that you will choose in the next step.
- (Optional) Upload a self-signed certificate if you do not want to use a publicly signed certificate.
- (Optional)Uploadthe private Root CA and intermediate CAs (If an intermediate CA exists). Do not upload the certificate issued for the syslog server—only CA certificates are needed to verify the chain from the syslog server.Only do this if you installed a private CA-signed, self-signed certificate on your receiver, or the public CA is not in the list of trusted CAs. The file containing the certificates must be in PEM format.
- (Optional) Enable client authentication.Do this if company or regulatory policy requires client authentication when forwarding logs to your server.
- Downloadthe certificate chain.
- Upload the certificate chain to your server.Refer to the documentation for your server management software to find out how to do this.
- Test Connectionto ensure thatCortex Data Lakecan communicate with the receiver.This checks TLS connectivity to verify that transmission is possible.If the test fails, you can not proceed.
- Specify theFormatin which you would like to forward your logs.
- Specify theDelimiterthat you would like to separate the fields in your log messages.
- (Optional) To receive aSTATUS NOTIFICATIONwhenCortex Data Lakeis unable to connect to the syslog server, enter the email address at which you’d like to receive the notification.You will continue to receive these notifications every 60 minutes until connectivity is restored. If the connectivity issue is addressed within 72 hours, no logs will be lost. However, any log older than 72 hours following the service disconnection could be lost.
- (Optional) Enter aPROFILE TOKENto send logs to a cloud syslog receiver.If you use a third-party cloud-based syslog service, you can enter a token thatCortex Data Lakeinserts into each syslog message so that the cloud syslog provider can identify the source of the logs.
- Follow your cloud syslog provider’s instructions for generating an identifying token.
- Enter theProfile Token.Tokens have a maximum length of 128 characters.
- Select the logs you want to forward.
- Adda new log filter.
- Select the log type.The Threat log type does not include URL logs or Data logs. If you wish to forward these log types, you must add them individually.
- (Optional)Create a log filter to forward only the logs that are most critical to you.You can either write your own queries from scratch or use the query builder. You can also select the query field to choose from among a set of common predefined queries.Log filters function like queries in Explore, with the following differences:
If you want to forward all logs of the type you selected, do not enter a query. Instead, proceed to the next step.
- No double quotes (“”).
- No subnet masks. To return IP addresses with subnets, use theLIKEoperator. Example:src_ip.value LIKE “192.1.1.%”.
- Saveyour changes.
- Saveyour changes.
- Verify that theStatusof your Syslog forwarding profile isRunning( ).
- Verify that you can view logs on the syslog receiver.
- (Optional) You can use the running Syslog forwarding profile to forward past logs spanning up to 3 days.
When configuring event source mapping in your SIEM, be aware that the hostname value can change in the hostname field of the syslog message sent from
Cortex Data Lake.
Oct 8 15:26:51 stream-logfwd20-602226222-10061338-i2hh-harness-r9kt logforwarder LEEF:2.0|Palo Alto Networks|Next Generation
might change to
Oct 8 15:26:51 stream-logfwd20-602226222-10061338-i2hh-harness-a7b1logforwarder LEEF:2.0|Palo Alto Networks|Next Generation
A change to your log forwarding configuration or a new feature/fix could change the hostname value and break event source mapping if you are using an exact match on the hostname.
If hostname exact matching is required by the SIEM, consider using a middle syslog host to rewrite the log forward to a static hostname so that changes to hostname values don't affect log source mappings.