Forward Logs from Cortex Data Lake to a Syslog Server

Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to a Syslog server.
To meet your long term storage, reporting and monitoring, or legal and compliance needs, you can configure the Log Forwarding app to forward all logs or a subset of logs to a Syslog receiver. The Log Forwarding app uses the IETF Syslog message format defined in RFC 5425 to forward logs. For each instance of Cortex Data Lake, you can one deploy an instance of the Log Forwarding app and forward logs to ten Syslog destinations.
lf-overview.png
The communication between the Log Forwarding app and the Syslog destination uses Syslog over TLS, and upon connection the Log Forwarding app validates that the Syslog receiver has a certificate signed by a trusted root CA. To complete the SSL handshake and establish the connection, the Syslog reciever must present all the certificates in the chain of trust.
The Log Forwarding app does not support self-signed certificates.
  1. Enable communication between the Log Forwarding app and your Syslog receiver. 
    Ensure that your Syslog receiver can connect to the Log Forwarding app and can present a valid CA certificate to complete the connection request.
    • Allow an inbound TLS feed to your Syslog receiver from the following IP address ranges:
      • US: 65.154.226.0/24
      • EU: 154.59.126.0/24
    • Obtain a certificate from a well known, public CA  and install it on your Syslog receiver.
      Because the Log Forwarding app validates the server certificate to establish a connection, you must verify that the Syslog receiver is configured to properly send the SSL certificate chain to the Log Forwarding app. If the app cannot verify that the certificate of the receiver and all CA's in the chain are trustworthy, the connection cannot be established. See List of Trusted Certificates for the Log Forwarding App.
  2. Sign In
    to the Cortex hub at https://apps.paloaltonetworks.com/.
  3. Select the Log Forwarding app instance that you want to configure for Syslog forwarding.
    If you have multiple Log Forwarding app instances, hover over the Log Forwarding tile and select an instance from the list of those available.
  4. Select
    Syslog
    Add
    to add a new Syslog Forwarding profile.
    configure-syslog-forwarding.png
  5. Enter a descriptive
    Name
    for the profile.
  6. Enter the
    Syslog Server
    IPv4 address or FQDN.
  7. Enter the
    Port
    on which the Syslog server is listening.
    The default port for Syslog messages over TLS is 6514.
  8. Select the
    Facility
    .
    Choose one of the Syslog standard values. The value maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424 (IETF format).
  9. To receive a
    Status Notification
    when the Log Forwarding app is unable to connect to the Syslog server, enter the email address at which you’d like to receive the notification.
    These notifications describe the error impacting communication between the Log Forwarding app and the Syslog server, so that you can take the appropriate steps to restore Syslog connectivity.
    Step 12 in this workflow gives you the option to enable the Log Forwarding app to default to email forwarding if it is unable to connect to any Syslog servers.
  10. Select the logs you want to forward.
    You can specify the log vendor (the source that is sending logs to Cortex Data Lake), log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you (here’s more details on predefined and custom filters, including examples of custom filters you might want to build).
    1. Add
      to select the
      Log Vendor
      .
      The log vendors are the sources that generated the logs, such as Firewall or Traps.
    2. Select the
      Log Type
      .
      You can only select one log subtype at a time.
      After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters. Otherwise, continue to the next step to specify if you want to forward a subset of logs.
    3. (Optional)
      Use the
      Filter
      to forward only the logs that are most critical to you.
      For each log type, you can set the
      Filter
      to your custom needs or use the predefined options.
      gpcs-syslog-profile.png
      With the
      Predefined
      filter, you can opt to
      Send GlobalProtect Cloud Service firewall logs only
      . Use this option if you are using the GlobalProtect cloud service to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.
      For details on the filtering options, review how to Custom Log Filters.
    4. Save
      your changes.
    5. Add other log types that you’d like to forward.
  11. Save
    your changes.
  12. Decide if you want to
    Continue forwarding logs via email if syslog forwarding is unavailable
    .
    The Log Forwarding app prioritizes Syslog forwarding. Therefore, even when you have configured email forwarding profile(s), when it is unable to establish a connection to a Syslog server that you have defined, it completely stops forwarding logs and queues the logs. When you select this option, the Log Forwarding app continues with email forwarding when it is unable to connect to any Syslog servers defined in your profiles instead of queueing them up so that you receive notifications at an external destination. And when Syslog connectivity is restored, the app resumes forwarding new logs stored to the .
    To ensure that you do not lose logs, make sure to set up email log forwarding before you enable this option. See Forward Logs from Cortex Data Lake to an Email Server.
  13. Verify that the Log Forwarding app instance reports Status as Running ( healthy.PNG ).
    If you need to stop forwarding logs, select
    Settings
    ( gear_icon.PNG ) on the Cortex hub, hover over the app instance and click
    Stop
    . This allows you to temporarily suspend log forwarding, but your configuration is retained and you can
    Resume
    log forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
    stop-lf.png
  14. Verify that you can view logs on the Syslog receiver.
    For detailed information about the log format, refer to the Syslog field descriptions:
    • Regardless of whether the firewalls are running PAN-OS 8.0 or 8.1, the log format on the Syslog receiver matches the PAN-OS 8.1 format.

Related Documentation