Forward Logs from Cortex Data Lake to a Syslog Server
Learn how forward logs from Cortex Data Lake to a Syslog server.
To meet your long term storage, reporting and monitoring, or legal and compliance needs, you can configure the Cortex Data Lake to forward all logs or a subset of logs to a Syslog receiver.
For each instance of Cortex Data Lake, you can forward logs to ten Syslog destinations.
The communication between Cortex Data Lake and the Syslog destination uses Syslog over TLS, and upon connection Cortex Data Lake validates that the Syslog receiver has a certificate signed by a trusted root CA. To complete the SSL handshake and establish the connection, the Syslog receiver must present all the certificates from the chain of trust.
Cortex Data Lake does not support self-signed certificates.
- Enable communication between Cortex Data Lake and your Syslog receiver.Ensure that your Syslog receiver can connect to Cortex Data Lake and can present a valid CA certificate to complete the connection request.
- Allow an inbound TLS feed to your Syslog receiver from the following IP address ranges:US
- 126.96.36.199/28New (December 2019)
UK188.8.131.52/28SG (Singapore)184.108.40.206/28CA (Canada)220.127.116.11/28JP (Japan)18.104.22.168/28If you have allowed specific IP addresses for inbound traffic, you must also allow the above IP address ranges to forward logs to your Syslog receiver.
- 22.214.171.124/28New (December 2019)
- Obtain a certificate from a well-known, public CA, and install it on your Syslog receiver.Because Cortex Data Lake validates the server certificate to establish a connection, you must verify that the Syslog receiver is configured to properly send the SSL certificate chain to Cortex Data Lake. If the app cannot verify that the certificate of the receiver and all CA's in the chain are trustworthy, the connection cannot be established. See the list of trusted certificates.
- Sign Into the hub at https://apps.paloaltonetworks.com/.
- Select the Cortex Data Lake instance that you want to configure for Syslog forwarding.If you have multiple Cortex Data Lake instances, click the Cortex Data Lake tile and select an instance from the list of those available.
- Selectto add a new Syslog forwarding profile.Log ForwardingAdd
- Enter a descriptiveNamefor the profile.
- Enter theSyslog ServerIPv4 address or FQDN.
- Enter thePorton which the Syslog server is listening.The default port for Syslog messages over TLS is 6514.
- Select theFacility.Choose one of the Syslog standard values. The value maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see the IETF standard for the log format that you will choose in the next step.
- Specify theFormatin which you would like to forward your logs.
- Specify theDelimiterthat you would like to separate the fields in your log messages.
- (Optional) To receive aStatus Notificationwhen Cortex Data Lake is unable to connect to the Syslog server, enter the email address at which you’d like to receive the notification.These notifications describe the error impacting communication between Cortex Data Lake and the Syslog server, so that you can take the appropriate steps to restore Syslog connectivity.
- (Optional) Enter aProfile Tokento send logs to a cloud Syslog receiver.If you use a third-party cloud-based Syslog service, you can enter a token that Cortex Data Lake inserts into the Syslog message so that the cloud Syslog provider can identify the source of the logs.
- Follow your cloud Syslog provider’s instructions for generating an identifying token.
- Enter theProfile Token.Tokens have a maximum length of 128 characters.
- Select the logs you want to forward.
- Adda new log filter.
- Select the log type.The Threat log type does not include URL logs or Data logs. If you wish to forward these log types, you must add them individually.
- (Optional)Create a log filter to forward only the logs that are most critical to you.If you want to forward all logs of the type you selected, do not enter a query. Instead, proceed to the next step.
- Saveyour changes.
- Saveyour changes.
- Verify that theStatusof your Syslog forwarding profile isRunning( ).
- Verify that you can view logs on the Syslog receiver.
Recommended For You
Recommended videos not found.