Forward Logs from Cortex Data Lake to an Email Server

Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to an email server.
To get email notifications whenever critical issues occur on your network, you can configure the Log Forwarding app to send notifications to an email destination. The Log Forwarding app uses the Palo Alto Networks SMTP server to forward log information in an email format, and all emails are sent from noreply@cs.paloaltonetworks.com. The communication between the Log Forwarding app and the email destination uses SMTP over TLS, and SMTP server certificate is signed by a trusted root CA.
lf-email.png
For each instance of Cortex Data Lake, you can one deploy an instance of the Log Forwarding app and set up log forwarding to email and Syslog destinations.
  1. Sign In
    to the Cortex hub at https://apps.paloaltonetworks.com/.
  2. Select the Log Forwarding app instance that you want to configure for email forwarding.
    If you have multiple Log Forwarding app instances, hover over the Log Forwarding tile and then select an instance from the list of available instances.
  3. Configure email forwarding.
    You cannot add your SMTP server to the Log Forwarding app currently.
    1. Select
      Email
      Add
      to add a new email forwarding profile.
    2. Enter a descriptive
      Name
      for the profile.
    3. Enter the email address of the administrator
      To
      whom you want to send email.
      You can include another email address to include as
      BCC
      .
    4. Enter the
      Email Subject
      to clearly identify the purpose of the notification.
    5. Select the logs you want to forward.
      You can specify the log vendor (the source that is sending logs to Cortex Data Lake), log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you (here’s more details on predefined and custom filters, including examples of custom filters you might want to build).
      1. Add
        to select the
        Log Vendor
        .
        The log vendors are the sources that generated the logs, such as Firewall or Traps.
      2. Select the
        Log Type
        .
        You can only select one log subtype at a time.
        After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters. Otherwise, continue to the next step to specify if you want to forward a subset of logs.
      3. (Optional)
        Use the
        Filter
        to forward messages for only the logs that are most critical to you.
        For each log type, you can customize the
        Filter
        for your needs or use the predefined options.
        add-email-profile.png
        With the
        Predefined
        filter, you can opt to
        Send GlobalProtect Cloud Service firewall logs only
        . Use this option if you are using the GlobalProtect cloud service to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.
        For details on the filtering options, review how to Custom Log Filters.
      4. Save
        your changes.
      5. Add other log types for which you’d like to receive email notifications.
    6. Save
      your changes.
      configure-email-forwarding.png
      Check your email to verify that you have received a test email from noreply@cs.paloaltonetworks.com.
      Email forwarding is rate limited to allow 10 emails per second.
  4. Decide if you want to receive email notifications when the connection to the Syslog destination is down.
    If you have configured Syslog forwarding, the Log Forwarding app completely stops forwarding logs and emails when it is unable to connect to any of the Syslog server that you have defined. The app queues the logs and resumes email and Syslog forwarding when the Syslog connection is reestablished. If you would like to continue receiving email notification when the Log Forwarding app is disconnected from the Syslog servers defined in your profiles, select
    Syslog
    Continue forwarding logs via email if syslog forwarding is unavailable
    . If you enable this option, you will receive email notifications for the events you have configured above when the Syslog connectivity is down, but when the connection between the Syslog server and the Log Forwarding app is restored, the logs generated during the time interval that the connection was down are not forwarded to the Syslog destinations.
  5. Verify that the Log Forwarding app instance reports Status as Running ( healthy.PNG ).
    If you need to stop forwarding logs, select
    Settings
    ( gear_icon.PNG ) on the Cortex hub, hover over the app instance and click
    Stop
    . This allows you to temporarily suspend log forwarding, but your configuration is retained and you can
    Resume
    log forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
    stop-lf.png

Related Documentation