Forward Logs from Cortex Data Lake to an Email Server
Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to an email server.
To get email notifications whenever critical issues occur on your network, you can configure the Log Forwarding app to send notifications to an email destination. The Log Forwarding app uses the Palo Alto Networks SMTP server to forward log information in an email format, and all emails are sent from email@example.com. The communication between the Log Forwarding app and the email destination uses SMTP over TLS, and SMTP server certificate is signed by a trusted root CA.
For each instance of Cortex Data Lake, you can one deploy an instance of the Log Forwarding app and set up log forwarding to email and Syslog destinations.
- Sign Into the hub at https://apps.paloaltonetworks.com/.
- Select the Log Forwarding app instance that you want to configure for email forwarding.If you have multiple Log Forwarding app instances, hover over the Log Forwarding tile and then select an instance from the list of available instances.
- Configure email forwarding.You cannot add your SMTP server to the Log Forwarding app currently.
- Selectto add a new email forwarding profile.Add
- Enter a descriptiveNamefor the profile.
- Enter the email address of the administratorTowhom you want to send email.You can include another email address to include asBCC.
- Enter theEmail Subjectto clearly identify the purpose of the notification.
- Select the logs you want to forward.You can specify the log vendor (the source that is sending logs to Cortex Data Lake), log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you (here’s more details on predefined and custom filters, including examples of custom filters you might want to build).
- Addto select theLog Vendor.The log vendors are the sources that generated the logs, such as Firewall or Traps.
- Select theLog Type.You can only select one log subtype at a time.After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters. Otherwise, continue to the next step to specify if you want to forward a subset of logs.
- (Optional)Use theFilterto forward messages for only the logs that are most critical to you.For each log type, you can customize theFilterfor your needs or use the predefined options.With thePredefinedfilter, you can opt toSend Prisma Access firewall logs only. Use this option if you are using Prisma Access to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.For details on the filtering options, review how to Custom Log Filters.
- Saveyour changes.
- Add other log types for which you’d like to receive email notifications.
- Saveyour changes.Check your email to verify that you have received a test email from firstname.lastname@example.org.Email forwarding is rate limited to allow 10 emails per second.
- Decide if you want to receive email notifications when the connection to the Syslog destination is down.If you have configured Syslog forwarding, the Log Forwarding app completely stops forwarding logs and emails when it is unable to connect to any of the Syslog server that you have defined. The app queues the logs and resumes email and Syslog forwarding when the Syslog connection is reestablished. If you would like to continue receiving email notification when the Log Forwarding app is disconnected from the Syslog servers defined in your profiles, select. If you enable this option, you will receive email notifications for the events you have configured above when the Syslog connectivity is down, but when the connection between the Syslog server and the Log Forwarding app is restored, the logs generated during the time interval that the connection was down are not forwarded to the Syslog destinations.SyslogContinue forwarding logs via email if syslog forwarding is unavailable
- Verify that the Log Forwarding app instance reports Status as Running ( ).If you need to stop forwarding logs, selectSettings( ) on the hub, hover over the app instance and clickStop. This allows you to temporarily suspend log forwarding, but your configuration is retained and you canResumelog forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
Recommended For You
Recommended videos not found.