Each Collector Group can have up to 16 Log Collectors, to which you assign firewalls for forwarding logs. You can then use Panorama to query the Log Collectors for aggregated log viewing and investigation.
The predefined Collector Group named default contains the predefined Log Collector that is local to the M-Series appliance in Panorama mode.
Configure a Collector Group
To configure a Collector Group , click Add and complete the following fields.
Collector Group Setting Configured In Description
Name Panorama > Collector Groups > General Enter a name to identify this Collector Group (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Log Storage Indicates the current storage quota for firewall logs that the Collector Group receives. Select this option to set the storage Quota and expiration period ( Max Days) for each log type and extended threat PCAPs. For details on quotas and expiration periods, see Device > Setup > Management, Logging and Reporting Settings. To use the default settings, click Restore Defaults.
Min Retention Period (days) Enter the minimum log retention period in days (1-2,000) that Panorama maintains across all Log Collectors in the Collector Group. If the current date minus the date of the oldest log is less than the defined minimum retention period, Panorama generates a System log as an alert violation.
Enable log redundancy across collectors If you select this option, each log in the Collector Group will have two copies and each copy will reside on a different Log Collector. This redundancy ensures that, if any one Log Collector becomes unavailable, no logs are lost—you can see all the logs forwarded to the Collector Group and run reports for all the log data. Log redundancy is available only if the Collector Group has multiple Log Collectors and each Log Collector has the same number of disks. After you enable redundancy, Panorama redistributes the existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama > Collector Groups page, the Redistribution State column indicates the completion status of the process as a percentage. All the Log Collectors for any particular Collector Group must be the same platform (all M-100 appliances or all M-500 appliances). Because enabling redundancy creates more logs, this configuration requires more storage capacity. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. (When a Collector Group runs out of space, it deletes older logs.)
Location Panorama > Collector Groups > Monitoring Specify the location of the M-Series appliance in Log Collector mode.
Contact Specify an email contact (for example, the email address of the SNMP administrator who will monitor the Log Collectors).
Version Specify the SNMP version for communication with the Panorama management server— V2c or V3. SNMP enables you to collect information about Log Collectors, including connection status, disk drive statistics, software version, average CPU usage, average logs/second, and storage duration per log type. SNMP information is available on a per Collector Group basis.
SNMP Community String ( V2c only ) Enter the SNMP Community String, which identifies a community of SNMP managers and monitored devices (Log Collectors, in this case), and serves as a password to authenticate the community members to each other. Don’t use the default community string public; it is well known and therefore not secure.
Views ( V3 only ) Add a group of SNMP views and, in Views, enter a name for the group. Each view is a paired object identifier (OID) and bitwise mask—the OID specifies a managed information base (MIB) and the mask (in hexadecimal format) specifies which SNMP objects are accessible within (include matching) or outside (exclude matching) that MIB. For each view in the group, Add the following settings: View —Enter a name for a view. OID —Enter the OID. Option (include or exclude)—Choose whether the view will exclude or include the OID. Mask —Specify a mask value for a filter on the OID (for example, 0xf0).
Users ( V3 only ) Add the following settings for each SNMP user: Users —Enter a username for authenticating the user to the SNMP manager. View —Select a group of views for the user. Authpwd —Enter a password for authenticating the user to the SNMP manager (minimum eight characters). Only Secure Hash Algorithm (SHA) is supported for encrypting the password. Privpwd —Enter a privacy password for encrypting SNMP messages to the SNMP manager (minimum eight characters). Only Advanced Encryption Standard (AES) is supported.
Collector Group Members Panorama > Collector Groups > Device Log Forwarding Click Add and, from the drop-down, select the Log Collectors that will be part of this Collector Group (up to 16). The drop-down will show all Log Collectors that are available in the Panorama > Managed Collectors page. All the Log Collectors for any particular Collector Group must be the same platform (all M-100 appliances or all M-500 appliances). After you add Log Collectors to an existing Collector Group, Panorama redistributes its existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama > Collector Groups page, the Redistribution State column indicates the completion status of the process as a percentage.
Devices You must add Collector Group Members (Log Collectors) before you can add firewalls to the Collector Group. To add firewalls, click Add, click Modify in the Devices list, select the managed firewalls, and click OK. To assign the firewalls to Log Collectors for log forwarding, click Add in the Collectors list and select the Log Collectors. The first Log Collector you specify will be the primary Log Collector for the firewalls. If the primary Log Collector fails, the firewalls will send logs to the secondary Log Collector. If the secondary fails, the firewalls will send logs to the tertiary Log Collector, and so on. To change the order, select a Log Collector and click Move Up or Move Down. After assigning all the Log Collectors in the desired order, click OK.
System Panorama > Collector Groups > Collector Log Forwarding Select the firewall logs that you want forward from this Collector Group to external servers (SNMP Trap, Email, or Syslog). To configure server profiles for these destinations, see Device > Server Profiles > SNMP Trap, Device > Server Profiles > Syslog, and Device > Server Profiles > Email. A PA-7000 Series firewall cannot forward logs to Panorama; you must forward the logs directly from the firewall to external servers.
Config
HIP Match
Traffic
Threat
WildFire
Correlation
View Collector Group Information
Select Panorama > Collector Groups to display the following information for Collector Groups. Additional fields are visible when you Configure a Collector Group.
Collector Group Information Description
Name A name that identifies the Collector Group.
Redundancy Enabled Indicates whether log redundancy is enabled for the Collector Group. You can enable log redundancy for a collector group when you modify or Configure a Collector Group.
Collectors The Log Collectors assigned to the Collector Group.
Redistribution State Certain actions (for example, enabling log redundancy) will cause the Collector Group to redistribute the logs among its Log Collectors. This column indicates the completion status of the redistribution process as a percentage.

Related Documentation