Forward Logs from Cortex Data Lake to a Syslog Server

Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to a Syslog server.
To meet your long term storage, reporting and monitoring, or legal and compliance needs, you can configure the Log Forwarding app to forward all logs or a subset of logs to a Syslog receiver. The Log Forwarding app uses the IETF Syslog message format defined in RFC 5425 to forward logs. For each instance of Cortex Data Lake, you can deploy one instance of the Log Forwarding app and forward logs to ten Syslog destinations.
The communication between the Log Forwarding app and the Syslog destination uses Syslog over TLS, and upon connection the Log Forwarding app validates that the Syslog receiver has a certificate signed by a trusted root CA. To complete the SSL handshake and establish the connection, the Syslog reciever must present all the certificates in the chain of trust.
The Log Forwarding app does not support self-signed certificates.
  1. Enable communication between the Log Forwarding app and your Syslog receiver. 
    Ensure that your Syslog receiver can connect to the Log Forwarding app and can present a valid CA certificate to complete the connection request.
    • Allow an inbound TLS feed to your Syslog receiver from the following IP address ranges:
        New (December 2019)
        New (December 2019)
      SG (Singapore)
      If you have allowed specific IP addresses for inbound traffic, you must also allow the above IP address ranges to forward logs to your Syslog receiver.
    • Obtain a certificate from a well-known, public CA, and install it on your Syslog receiver.
      Because the Log Forwarding app validates the server certificate to establish a connection, you must verify that the Syslog receiver is configured to properly send the SSL certificate chain to the Log Forwarding app. If the app cannot verify that the certificate of the receiver and all CA's in the chain are trustworthy, the connection cannot be established. See List of Trusted Certificates for the Log Forwarding App.
  2. Sign In
    to the hub at
  3. Select the Log Forwarding app instance that you want to configure for Syslog forwarding.
    If you have multiple Log Forwarding app instances, hover over the Log Forwarding tile and select an instance from the list of those available.
  4. Select
    to add a new Syslog Forwarding profile.
  5. Enter a descriptive
    for the profile.
  6. Enter the
    Syslog Server
    IPv4 address or FQDN.
  7. Enter the
    on which the Syslog server is listening.
    The default port for Syslog messages over TLS is 6514.
  8. Select the
    Choose one of the Syslog standard values. The value maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5425 (IETF format).
  9. To receive a
    Status Notification
    when the Log Forwarding app is unable to connect to the Syslog server, enter the email address at which you’d like to receive the notification.
    These notifications describe the error impacting communication between the Log Forwarding app and the Syslog server, so that you can take the appropriate steps to restore Syslog connectivity.
    Step 12 in this workflow gives you the option to enable the Log Forwarding app to default to email forwarding if it is unable to connect to any Syslog servers.
  10. (
    ) Enter a
    Profile Token
    to send logs to a cloud syslog receiver.
    If you use a third-party, cloud-based syslog service, you can enter a token that the Log Forwarding app inserts into the syslog message so that the cloud syslog provider can identify the source of the logs.
    1. Follow your cloud syslog provider’s instructions for generating an identifying token.
    2. Enter the
      Profile Token
      Tokens have a maximum length of 128 characters.
  11. Select the logs you want to forward.
    You can specify the log vendor (the source that is sending logs to Cortex Data Lake), log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you (here’s more details on predefined and custom filters, including examples of custom filters you might want to build).
    1. Add
      to select the
      Log Vendor
      The log vendors are the sources that generated the logs, such as Firewall or Traps.
    2. Select the
      Log Type
      The Threat log type does not include WildFire logs, URL logs, or Data logs. If you wish to forward these log types, you must add them individually.
      You can only select one log subtype at a time.
      After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters. Otherwise, continue to the next step to specify if you want to forward a subset of logs.
    3. (
      ) Use the
      to forward only the logs that are most critical to you.
      For each log type, you can set the
      to your custom needs or use the predefined options.
      With the
      filter, you can opt to
      Send Prisma Access firewall logs only
      . Use this option if you are using Prisma Access to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.
      For details on the filtering options, review how to Custom Log Filters.
    4. Save
      your changes.
    5. Add other log types that you’d like to forward.
  12. Save
    your changes.
  13. Decide if you want to
    Continue forwarding logs via email if syslog forwarding is unavailable
    The Log Forwarding app prioritizes Syslog forwarding. Therefore, even when you have configured email forwarding profile(s), when it is unable to establish a connection to a Syslog server that you have defined, it completely stops forwarding logs and queues the logs. When you select this option, the Log Forwarding app continues with email forwarding when it is unable to connect to any Syslog servers defined in your profiles instead of queueing them up so that you receive notifications at an external destination. And when Syslog connectivity is restored, the app resumes forwarding new logs stored to the Syslog server.
    To ensure that you do not lose logs, make sure to set up email log forwarding before you enable this option. See Forward Logs from Cortex Data Lake to an Email Server.
  14. Verify that the Log Forwarding app instance reports Status as Running ( healthy.PNG ).
    If you need to stop forwarding logs, select
    ( gear_icon.PNG ) on the hub, hover over the app instance and click
    . This allows you to temporarily suspend log forwarding, but your configuration is retained and you can
    log forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
  15. Verify that you can view logs on the Syslog receiver.
    For details about the log format, refer to the Syslog field descriptions:

Recommended For You