Forward Logs from Cortex Data Lake to a Syslog Server

Learn how to forward logs from Cortex Data Lake to a syslog server.
To meet your long-term storage, reporting and monitoring, or legal and compliance needs, you can configure Cortex Data Lake to forward all logs or a subset of logs to a syslog receiver.
Cortex Data Lake can forward logs in multiple formats:
CSV, LEEF, or CEF
. For each instance of Cortex Data Lake, you can forward logs to ten syslog destinations.
Cortex Data Lake communicates with the receiver using TLS, and upon connection Cortex Data Lake validates that the receiver has a certificate signed by a trusted root CA or a private CA. To complete the TLS handshake and establish the connection, the receiver must present all the certificates from the chain of trust.
If you are using the Palo Alto Networks Splunk app, forward logs using HTTPS instead.
  1. Enable communication between Cortex Data Lake and your syslog receiver. 
    Ensure that your syslog receiver can connect to Cortex Data Lake and can present a valid CA certificate to complete the connection request.
    • Allow an inbound TLS feed to your syslog receiver from the following IP address ranges:
      United States - Americas
      34.67.106.64/28
      Netherlands - Europe
      34.90.138.80/28
      United Kingdom
      35.246.51.240/28
      SG (Singapore)
      34.87.142.80/28
      CA (Canada)
      34.95.59.80/28
      JP (Japan)
      34.84.94.80/28
      AU (Australia)
      35.244.108.240/28
      DE (Germany)
      35.246.195.240/28
      IN (India)
      35.244.35.240/28
      United States - Government
      34.87.142.80/28
      If you have allowed specific IP addresses for inbound traffic, you must also allow the above IP address ranges to forward logs to your syslog receiver.
    • Obtain either a certificate from a well-known, public CA or a self-signed certificate and install it on your receiver. Please make sure that if you are using a certificate signed by a private CA, it contains CRL or OCSP information needed for certificate revocation checks.
      Because Cortex Data Lake validates the server certificate to establish a connection, you must verify that the receiver is configured to properly send the TLS certificate chain to Cortex Data Lake. If the app cannot verify that the certificate of the receiver and all CAs in the chain are trustworthy, the connection cannot be established. See the list of trusted certificates.
  2. Sign In
    to the hub at https://apps.paloaltonetworks.com/.
  3. Select the Cortex Data Lake instance that you want to configure for syslog forwarding.
    If you have multiple Cortex Data Lake instances, click the Cortex Data Lake tile and select an instance from the list of those available.
  4. Select
    Log Forwarding
    Add
    to add a new Syslog forwarding profile.
  5. Enter a descriptive
    Name
    for the profile.
  6. Enter the
    Syslog Server
    IPv4 address or FQDN.
    Ensure that the value entered here matches the Subject Alternative Name (SAN) of the certificate installed on your syslog server.
  7. Enter the
    Port
    on which the syslog server is listening.
    The default port for syslog messages over TLS is 6514.
  8. Select the
    Facility
    .
    Choose one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see the IETF standard for the log format (
    CSV, LEEF, or CEF
    ) that you will choose in the next step.
  9. (
    Optional
    )
    Upload
    the private Root CA and intermediate CAs (If an intermediate CA exists). Do not upload the certificate issued for the syslog server—only CA certificates are needed to verify the chain from the syslog server.
    Only do this if you installed a private CA-signed or self-signed certificate on your receiver. The file containing the certificates must be in PEM format.
  10. Test Connection
    to ensure that Cortex Data Lake can communicate with the receiver.
    This checks TLS connectivity to verify that transmission is possible.
    If the test fails, you will not be able to proceed.
  11. Click
    Next
    .
  12. Specify the
    Format
    in which you would like to forward your logs.
    The log format (
    CSV, LEEF, or CEF
    ) that you should select depends on the destination of your log data.
  13. Specify the
    Delimiter
    that you would like to separate the fields in your log messages.
  14. (
    Optional
    ) To receive a
    STATUS NOTIFICATION
    when Cortex Data Lake is unable to connect to the syslog server, enter the email address at which you’d like to receive the notification.
    You will continue to receive these notifications every 60 minutes until connectivity is restored. If the connectivity issue is addressed within 72 hours, no logs will be lost. However, any log older than 72 hours following the service disconnection could be lost.
  15. (
    Optional
    ) Enter a
    PROFILE TOKEN
    to send logs to a cloud syslog receiver.
    If you use a third-party cloud-based syslog service, you can enter a token that Cortex Data Lake inserts into each syslog message so that the cloud syslog provider can identify the source of the logs.
    1. Follow your cloud syslog provider’s instructions for generating an identifying token.
    2. Enter the
      Profile Token
      .
      Tokens have a maximum length of 128 characters.
  16. Select the logs you want to forward.
    1. Add
      a new log filter.
    2. Select the log type.
      The Threat log type does not include URL logs or Data logs. If you wish to forward these log types, you must add them individually.
    3. (Optional)
      Create a log filter to forward only the logs that are most critical to you.
      You can either write your own queries from scratch or use the query builder. You can also select the query field to choose from among a set of common predefined queries.
      Log filters function like queries in Explore. However, double quotes (
      “”
      ) are not supported.
      If you want to forward all logs of the type you selected, do not enter a query. Instead, proceed to the next step.
    4. Save
      your changes.
  17. Save
    your changes.
  18. Verify that the
    Status
    of your Syslog forwarding profile is
    Running
    ( ).
  19. Verify that you can view logs on the syslog receiver.
    For details about the log format, refer to the Syslog field descriptions (Select the PAN-OS Administrator’s Guide for your firewall version).

Recommended For You