Forward Logs from Cortex Data Lake to an Email Server

Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to an email server.
To get email notifications whenever critical issues occur on your network, you can configure the Log Forwarding app to send notifications to an email destination. The Log Forwarding app uses the Palo Alto Networks SMTP server to forward log information in an email format, and all emails are sent from The communication between the Log Forwarding app and the email destination uses SMTP over TLS, and SMTP server certificate is signed by a trusted root CA.
For each instance of Cortex Data Lake, you can one deploy an instance of the Log Forwarding app and set up log forwarding to email and Syslog destinations.
  1. Sign In
    to the hub at
  2. Select the Log Forwarding app instance that you want to configure for email forwarding.
    If you have multiple Log Forwarding app instances, hover over the Log Forwarding tile and then select an instance from the list of available instances.
  3. Configure email forwarding.
    You cannot add your SMTP server to the Log Forwarding app currently.
    1. Select
      to add a new email forwarding profile.
    2. Enter a descriptive
      for the profile.
    3. Enter the email address of the administrator
      whom you want to send email.
      You can include another email address to include as
    4. Enter the
      Email Subject
      to clearly identify the purpose of the notification.
    5. Select the logs you want to forward.
      You can specify the log vendor (the source that is sending logs to Cortex Data Lake), log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you (here’s more details on predefined and custom filters, including examples of custom filters you might want to build).
      1. Add
        to select the
        Log Vendor
        The log vendors are the sources that generated the logs, such as Firewall or Traps.
      2. Select the
        Log Type
        You can only select one log subtype at a time.
        After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters. Otherwise, continue to the next step to specify if you want to forward a subset of logs.
      3. (Optional)
        Use the
        to forward messages for only the logs that are most critical to you.
        For each log type, you can customize the
        for your needs or use the predefined options.
        With the
        filter, you can opt to
        Send Prisma Access firewall logs only
        . Use this option if you are using Prisma Access to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.
        For details on the filtering options, review how to Custom Log Filters.
      4. Save
        your changes.
      5. Add other log types for which you’d like to receive email notifications.
    6. Save
      your changes.
      Check your email to verify that you have received a test email from
      Email forwarding is rate limited to allow 10 emails per second.
  4. Decide if you want to receive email notifications when the connection to the Syslog destination is down.
    If you have configured Syslog forwarding, the Log Forwarding app completely stops forwarding logs and emails when it is unable to connect to any of the Syslog server that you have defined. The app queues the logs and resumes email and Syslog forwarding when the Syslog connection is reestablished. If you would like to continue receiving email notification when the Log Forwarding app is disconnected from the Syslog servers defined in your profiles, select
    Continue forwarding logs via email if syslog forwarding is unavailable
    . If you enable this option, you will receive email notifications for the events you have configured above when the Syslog connectivity is down, but when the connection between the Syslog server and the Log Forwarding app is restored, the logs generated during the time interval that the connection was down are not forwarded to the Syslog destinations.
  5. Verify that the Log Forwarding app instance reports Status as Running ( healthy.PNG ).
    If you need to stop forwarding logs, select
    ( gear_icon.PNG ) on the hub, hover over the app instance and click
    . This allows you to temporarily suspend log forwarding, but your configuration is retained and you can
    log forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.

Recommended For You