Forward Logs from Cortex Data Lake to an Email Server
Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to an email server.
To get email notifications whenever critical issues occur on your network, you can configure the Log Forwarding app to send notifications to an email destination. The Log Forwarding app uses the Palo Alto Networks SMTP server to forward log information in an email format, and all emails are sent from firstname.lastname@example.org. The communication between the Log Forwarding app and the email destination uses SMTP over TLS, and SMTP server certificate is signed by a trusted root CA.
For each instance of Cortex Data Lake, you can one deploy an instance of the Log Forwarding app and set up log forwarding to email and Syslog destinations.
- Sign Into the Cortex hub at https://apps.paloaltonetworks.com/.
- Select the Log Forwarding app instance that you want to configure for email forwarding.If you have multiple Log Forwarding app instances, hover over the Log Forwarding tile and then select an instance from the list of available instances.
- Configure email forwarding.You cannot add your SMTP server to the Log Forwarding app currently.
- Selectto add a new email forwarding profile.Add
- Enter a descriptiveNamefor the profile.
- Enter the email address of the administratorTowhom you want to send email.You can include another email address to include asBCC.
- Enter theEmail Subjectto clearly identify the purpose of the notification.
- Select the logs you want to forward.You can specify the log vendor (the source that is sending logs to Cortex Data Lake), log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you (here’s more details on predefined and custom filters, including examples of custom filters you might want to build).
- Addto select theLog Vendor.The log vendors are the sources that generated the logs, such as Firewall or Traps.
- Select theLog Type.You can only select one log subtype at a time.After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters. Otherwise, continue to the next step to specify if you want to forward a subset of logs.
- (Optional)Use theFilterto forward messages for only the logs that are most critical to you.For each log type, you can customize theFilterfor your needs or use the predefined options.With thePredefinedfilter, you can opt toSend GlobalProtect Cloud Service firewall logs only. Use this option if you are using the GlobalProtect cloud service to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.For details on the filtering options, review how to Custom Log Filters.
- Saveyour changes.
- Add other log types for which you’d like to receive email notifications.
- Saveyour changes.Check your email to verify that you have received a test email from email@example.com.Email forwarding is rate limited to allow 10 emails per second.
- Decide if you want to receive email notifications when the connection to the Syslog destination is down.If you have configured Syslog forwarding, the Log Forwarding app completely stops forwarding logs and emails when it is unable to connect to any of the Syslog server that you have defined. The app queues the logs and resumes email and Syslog forwarding when the Syslog connection is reestablished. If you would like to continue receiving email notification when the Log Forwarding app is disconnected from the Syslog servers defined in your profiles, select. If you enable this option, you will receive email notifications for the events you have configured above when the Syslog connectivity is down, but when the connection between the Syslog server and the Log Forwarding app is restored, the logs generated during the time interval that the connection was down are not forwarded to the Syslog destinations.SyslogContinue forwarding logs via email if syslog forwarding is unavailable
- Verify that the Log Forwarding app instance reports Status as Running ( ).If you need to stop forwarding logs, selectSettings( ) on the Cortex hub, hover over the app instance and clickStop. This allows you to temporarily suspend log forwarding, but your configuration is retained and you canResumelog forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
Forward Logs From The Logging Service to a Syslog Server
Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to a Syslog server. ...
Configure Log Forwarding
Configure Log Forwarding of Traps Logs You can configure log forwarding to forward logs using Syslog to a SIEM for long term storage, SOC, or ...
Get Started with the Log Forwarding App
Get started with the Palo Alto Networks Log Forwarding app and begin forwarding logs from Cortex Data Lake to a syslog or email server. ...
Features Introduced in the Log Forwarding App
Stay updated on what’s new in the Log forwarding app. ...
Known Issues in Log Forwarding App
This document details the known issues in the current release of the Palo Alto Networks Log Forwarding app. ...
Configure Log Forwarding for BIOC and IOC Alerts
Using the Log Forwarding app, you can forward Cortex XDR BIOC and IOC alerts to an external syslog or email. ...
Add Log Forwarding App Instance
Create an instance of the Log Forwarding app to send logs from the to an external destination. ...
Configure Log Forwarding
Using the Log Forwarding app, you can forward Cortex XDR – Investigation and Response BIOC and IOC alerts to an external syslog or email. ...
Specify the Log Types to Forward
Specify What Log Types to Forward You can specify the logs you want to forward based on log type and the data contained in log ...