An M-Series appliance in Panorama mode and a Panorama virtual appliance can both manage Dedicated Log Collectors (M-Series appliances in Log Collector mode). An M-Series appliance in Panorama mode also has a default (local) Log Collector to process the logs it receives directly from firewalls. (A Panorama virtual appliance processes the logs it receives directly from firewalls without using a local Log Collector.) To use Panorama for managing a Dedicated Log Collector, you must add it as a managed collector . The predefined managed collector named default is local to the M-Series appliance in Panorama mode.
What do you want to do? See:
Display Log Collector information View Log Collector Information
Add, edit, or delete a Log Collector Configure a Log Collector
Update Panorama software on a Log Collector Install a Software Update on a Log Collector
Looking for more? Centralized Logging and Reporting
Configure a Managed Collector
View Log Collector Information
Select Panorama > Managed Collectors to display the following information for Log Collectors. Additional parameters are visible when you Configure a Log Collector.
Log Collector Information Description
Collector Name The name that identifies this Log Collector. This name displays as the Log Collector hostname.
Collector Serial Number The serial number of the M-Series appliance that functions as the Log Collector.
Software Version The Panorama software release installed on the Log Collector.
IP Address The IP address of the management interface on the Log Collector.
Connected The status of the connection between the Log Collector and Panorama.
Configuration Status/Detail Indicates whether the configuration on the Log Collector is synchronized with Panorama.
Run Time Status/Detail The status of the connection between this and other Log Collectors in the Collector Group.
Redistribution State Certain actions (for example, adding disks) will cause the Log Collector to redistribute the logs among its disk pairs. This column indicates the completion status of the redistribution process as a percentage.
Last Commit State Indicates whether the last Collector Group commit performed on the Log Collector failed or succeeded.
Statistics After you Configure a Log Collector, click Statistics to view disk information, CPU performance, and the average log rate (logs/second). To better understand the log range you are reviewing, you can also view information on the oldest log that the Log Collector received.
Configure a Log Collector
To configure a Log Collector , click Add and define the settings as follows.
What do you want to know? See:
Identify the Log Collector and define its connections to the Panorama management server, DNS servers, and NTP servers. Define General Log Collector Settings
Configure access to the Log Collector CLI. Define Log Collector CLI Authentication Settings
Configure the interfaces that the Log Collector uses. Define Log Collector Management, Eth1, and Eth2 Interface Settings
Configure the RAID disks that store logs collected from firewalls. Define Log Collector RAID Disk Settings
Define General Log Collector Settings
Complete the following field to identify a Log Collector and define its connections to the Panorama management server, DNS servers, and NTP servers.
Log Collector General Setting Description
Collector S/N Enter the serial number of the M-Series appliance that functions as the Log Collector. This field is required.
Collector Name Enter a name to identify this Log Collector (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. This name displays as the Log Collector hostname.
Device Log Collection Select the interface to use for firewall log collection. By default, the management (MGT) interface performs this function. To select Eth1 or Eth2, you must first enable those interfaces on the Panorama management server (for details, see Device > Setup > Management, Eth1/Eth2 Interface Settings).
Collector Group Communication Select the interface to use for communication within Collector Groups. By default, the MGT interface performs this function. To select Eth1 or Eth2, you must first enable those interfaces on the Panorama management server (for details, see Device > Setup > Management, Eth1/Eth2 Interface Settings).
Certificate for Secure Syslog Select a certificate for secure forwarding of syslogs to an external Syslog server. The certificate must have the Certificate for Secure Syslog option selected (see Manage Firewall and Panorama Certificates). When you assign a Syslog server profile to the Collector Group that includes this Log Collector (see Panorama > Collector Groups, Panorama > Collector Groups > Collector Log Forwarding), the Transport protocol of the server profile must be SSL (see Device > Server Profiles > Syslog).
Panorama Server IP Specify the IP address of the Panorama management server that manages this Log Collector.
Panorama Server IP 2 Specify the IP address of the secondary peer if the Panorama management server is deployed in a high availability (HA) configuration.
Domain Enter the domain name of the Log Collector.
Primary DNS Server Enter the IP address of the primary DNS server. The Log Collector uses this server for DNS queries (for example, to find the Panorama management server).
Secondary DNS Server (Optional) Enter the IP address a secondary DNS server to use if the primary server is unavailable.
Primary NTP Server Enter the IP address or host name of the primary NTP server, if any. If you do not use NTP servers, you can set the Log Collector time manually.
Secondary NTP Server (Optional) Enter the IP address or host name of secondary NTP servers to use if the primary server is unavailable.
Timezone Select the time zone of the Log Collector.
Latitude Enter the latitude (-90.0 to 90.0) of the Log Collector. Traffic and threat maps use the latitude for App Scope.
Longitude Enter the longitude (-180.0 to 180.0) of the Log Collector. Traffic and threat maps use the longitude for App Scope.
Define Log Collector CLI Authentication Settings
An M-Series appliance in Log Collector mode (Dedicated Log Collector) has no web interface, only a CLI. You can use an M-Series appliance in Panorama mode to configure most settings on a Dedicated Log Collector but some settings require CLI access. To configure authentication settings for CLI access, configure the following fields.
Log Collector Authentication Setting Description
Users This field will always show admin and is used for the local CLI login name on the Log Collector.
Mode Select the password Mode: Password —Enter a plaintext Password and Confirm Password. Password Hash —Enter a hashed password string. This can be useful if, for example, you want to reuse the password of an existing Unix account but do not know the plaintext password, only the hashed password. Panorama accepts any string of up to 63 characters regardless of the algorithm used to generate the hash value. The operational CLI command request password-hash password <password> uses the MD5 algorithm. When you commit your changes, Panorama pushes the hash value to the Log Collector and the administrator password will be the specified <password> .
Failed Attempts Enter the number of failed login attempts (1-10) that are allowed for the CLI before locking out the administrator account. The default 0 specifies unlimited login attempts. Limiting login attempts can help protect the Log Collector from brute force attacks. If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, the Failed Attempts is ignored and the user is never locked out. If you use the default 0 for both fields, the user is never locked out.
Lockout Time Enter the number of minutes (0-60) for which the Log Collector locks out the administrator out after reaching the number of Failed Attempts. If you set the Lockout Time to a value other than 0 but leave the Failed Attempts at 0, the Lockout Time is ignored and the user is never locked out. If you use the default 0 for both fields, the user is never locked out.
Define Log Collector Management, Eth1, and Eth2 Interface Settings
Log Collectors use the Management (MGT) interface for management and configuration traffic. By default, Log Collectors also use MGT for log collection and communication within Collector Groups, though you can assign those functions to the Ethernet 1 ( Eth1) and Ethernet 2 ( Eth2) interfaces. If you assign Eth1 or Eth2, it is a best practice to define a separate subnet for the MGT interface that is more private than the Eth1 or Eth2 subnets. Eth1 and Eth2 are available only if you configured them for the Panorama management server (see Device > Setup > Management).
To configure the interfaces, complete the fields in the Management, Eth1, and Eth2 tabs.
To complete the configuration of the MGT interface, you must specify the IP address, netmask or prefix length, and default gateway. If you commit a partial configuration (for example, you might omit the default gateway), you can only access the M-Series appliance through the console port for future configuration changes. It is recommended that you commit a complete configuration. You cannot commit the Eth1 or Eth2 configuration unless you specify the IP address, netmask or prefix length, and default gateway.
Log Collector Management, Eth1, or Eth2 Interface Setting Description
Eth1 / Eth2 ( Eth1 and Eth2 interfaces only ) Select this option to enable the interface. The MGT interface is enabled by default.
Speed and Duplex Select the interface speed in Mbps (10, 100, or 1000) and the interface transmission mode (full-duplex [Full], half-duplex ([Half], or negotiated automatically [Auto]).
IP Address Assign an IPv4 address to the interface if your network uses IPv4.
Netmask Enter a network mask (for example, 255.255.255.0) if you assigned an IPv4 address to the interface.
Default Gateway Assign an IPv4 address to the default router if the interface has an IPv4 address. The router and interface must be on the same subnet.
IPv6 Address/Prefix Length Assign an IPv6 address to the interface if your network uses IPv6. To indicate the netmask, enter an IPv6 prefix length (for example, 2001:400:f00::1/64).
IPv6 Default Gateway Assign an the IPv6 address to the default router if the interface has an IPv6 address. The router and interface must be on the same subnet.
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576–1,500; default is 1,500).
SSH ( MGT interface only ) Select this option to enable SSH on the MGT interface.
SNMP ( MGT interface only ) Select this option to enable Simple Network Managed Protocol (SNMP) on the MGT interface. This is required to use SNMP to monitor Log Collector statistics.
Ping Select this option to enable Ping on the interface.
Permitted IP Addresses Add the IP addresses from which administrators can manage this interface. By default, if you don’t add any, administrators can use any IP address.
Define Log Collector RAID Disk Settings
To increase log storage capacity , Add one or more disk pairs.
By default, the M-Series appliance is shipped with the first RAID 1 disk pair enabled and installed in bays A1/A2. You can add up to three more disk pairs in bays B1/B2, C1/C2, and D1/D2. In the software, the disk pair in bays A1/A2 is named Disk Pair A.
After you add disk pairs, the Log Collector redistributes its existing logs across all the disks, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama > Managed Collectors page, the Redistribution State column indicates the completion status of the process as a percentage.
Install a Software Update on a Log Collector
To install a software image on a an M-Series appliance in Log Collector mode, download or upload the image to Panorama (see Panorama > Device Deployment), click Install and complete the following fields.
You can also use the Panorama > Device Deployment > Software pages to install updates on Log Collectors (see Manage Software and Content Updates).
Field for Installing a Software Update on a Log Collector Description
File Select a downloaded or uploaded software image.
Devices Select the Log Collectors on which to install the software. The dialog displays the following information for each Log Collector: Device Name —The name of the M-Series appliance in Log Collector mode. Current Version —The Panorama software release currently installed on the Log Collector. HA Status —This column does not apply to Log Collectors. Dedicated Log Collectors do not support high availability.
Filter Selected To display only specific Log Collectors, select the Log Collectors and Filter Selected.
Upload only to device (do not Install) Select this option to upload the software to the Log Collector without automatically rebooting it. The image is not installed until you manually reboot by logging into the Log Collector CLI and running the request restart system operational command.
Reboot device after Install Select this option to upload and automatically install the software. The installation process reboots the Log Collector.

Related Documentation