Forward Logs from Cortex Data Lake to a Syslog Server
Learn how to use the Log Forwarding app to forward logs from Cortex Data Lake to a Syslog server.
To meet your long term storage, reporting and monitoring, or legal and compliance needs, you can configure the Log Forwarding app to forward all logs or a subset of logs to a Syslog receiver. The Log Forwarding app uses the IETF Syslog message format defined in RFC 5425 to forward logs. For each instance of Cortex Data Lake, you can deploy one instance of the Log Forwarding app and forward logs to ten Syslog destinations.
The communication between the Log Forwarding app and the Syslog destination uses Syslog over TLS, and upon connection the Log Forwarding app validates that the Syslog receiver has a certificate signed by a trusted root CA. To complete the SSL handshake and establish the connection, the Syslog reciever must present all the certificates in the chain of trust.
The Log Forwarding app does not support self-signed certificates.
- Enable communication between the Log Forwarding app and your Syslog receiver.Ensure that your Syslog receiver can connect to the Log Forwarding app and can present a valid CA certificate to complete the connection request.
- Allow an inbound TLS feed to your Syslog receiver from the following IP address ranges:US
- 18.104.22.168/28New (December 2019)
UK22.214.171.124/28SG (Singapore)126.96.36.199/28If you have allowed specific IP addresses for inbound traffic, you must also allow the above IP address ranges to forward logs to your Syslog receiver.
- 188.8.131.52/28New (December 2019)
- Obtain a certificate from a well-known, public CA, and install it on your Syslog receiver.Because the Log Forwarding app validates the server certificate to establish a connection, you must verify that the Syslog receiver is configured to properly send the SSL certificate chain to the Log Forwarding app. If the app cannot verify that the certificate of the receiver and all CA's in the chain are trustworthy, the connection cannot be established. See List of Trusted Certificates for the Log Forwarding App.
- Sign Into the hub at https://apps.paloaltonetworks.com/.
- Select the Log Forwarding app instance that you want to configure for Syslog forwarding.If you have multiple Log Forwarding app instances, hover over the Log Forwarding tile and select an instance from the list of those available.
- Selectto add a new Syslog Forwarding profile.SyslogAdd
- Enter a descriptiveNamefor the profile.
- Enter theSyslog ServerIPv4 address or FQDN.
- Enter thePorton which the Syslog server is listening.The default port for Syslog messages over TLS is 6514.
- Select theFacility.
- To receive aStatus Notificationwhen the Log Forwarding app is unable to connect to the Syslog server, enter the email address at which you’d like to receive the notification.These notifications describe the error impacting communication between the Log Forwarding app and the Syslog server, so that you can take the appropriate steps to restore Syslog connectivity.Step 12 in this workflow gives you the option to enable the Log Forwarding app to default to email forwarding if it is unable to connect to any Syslog servers.
- (Optional) Enter aProfile Tokento send logs to a cloud syslog receiver.If you use a third-party, cloud-based syslog service, you can enter a token that the Log Forwarding app inserts into the syslog message so that the cloud syslog provider can identify the source of the logs.
- Follow your cloud syslog provider’s instructions for generating an identifying token.
- Enter theProfile Token.Tokens have a maximum length of 128 characters.
- Select the logs you want to forward.You can specify the log vendor (the source that is sending logs to Cortex Data Lake), log types and either define a custom filter or use the predefined filters to forward the log types that are most important to you (here’s more details on predefined and custom filters, including examples of custom filters you might want to build).
- Addto select theLog Vendor.The log vendors are the sources that generated the logs, such as Firewall or Traps.
- Select theLog Type.The Threat log type does not include WildFire logs, URL logs, or Data logs. If you wish to forward these log types, you must add them individually.You can only select one log subtype at a time.After you select the Log Type you want to forward, the predefined filter shows as selected by default. If you want to forward all logs associated with the log type you’ve selected, leave Predefined selected and continue to save this rule without adding any filters. Otherwise, continue to the next step to specify if you want to forward a subset of logs.
- (Optional) Use theFilterto forward only the logs that are most critical to you.For each log type, you can set theFilterto your custom needs or use the predefined options.With thePredefinedfilter, you can opt toSend Prisma Access firewall logs only. Use this option if you are using Prisma Access to secure your remote networks or mobile users, and want to forward logs generated by the firewalls that belong to this service only.For details on the filtering options, review how to Custom Log Filters.
- Saveyour changes.
- Add other log types that you’d like to forward.
- Saveyour changes.
- Decide if you want toContinue forwarding logs via email if syslog forwarding is unavailable.The Log Forwarding app prioritizes Syslog forwarding. Therefore, even when you have configured email forwarding profile(s), when it is unable to establish a connection to a Syslog server that you have defined, it completely stops forwarding logs and queues the logs. When you select this option, the Log Forwarding app continues with email forwarding when it is unable to connect to any Syslog servers defined in your profiles instead of queueing them up so that you receive notifications at an external destination. And when Syslog connectivity is restored, the app resumes forwarding new logs stored to the Syslog server.
- Verify that the Log Forwarding app instance reports Status as Running ( ).If you need to stop forwarding logs, selectSettings( ) on the hub, hover over the app instance and clickStop. This allows you to temporarily suspend log forwarding, but your configuration is retained and you canResumelog forwarding again.When you resume forwarding, you may experience a delay before the Syslog receiver starts receiving logs again.
Recommended For You
Recommended videos not found.