End-of-Life (EoL)

Traps Log Ingestion on Panorama

Panorama can now serve as a Syslog receiver that can ingest logs from the Traps ESM components using Syslog over TCP, UDP, or SSL. When you forward security events that the Traps agents report to the ESM Server on to Panorama, Panorama correlates discrete security events that occur on the endpoints with what’s happening on the network to trace any suspicious or malicious activity across the endpoints and the firewalls. This integrated view gives you more context on the chronology of events and the evidence you need to detect, identify, and respond to an incident.
Panorama virtual appliance in legacy mode cannot ingest Traps logs.
  1. Define the log ingestion profile on Panorama.
    1. Select
      Panorama
      Log Ingestion Profile
      , and click
      Add
      .
    2. Enter a
      Name
      for the profile.
    3. Click
      Add
      and enter the details for the ESM Server. You can add up to four ESM Servers to a profile.
    4. Enter a
      Source Name
      .
    5. Specify the
      Port
      on which Panorama will be listening for syslog messages. The range is 23000 to 23999.
    6. Select the
      Transport
      layer protocol—TCP, UDP, or SSL.
    7. Select Traps_ESM for
      External Log type
      and 3.4.0+ from the
      Version
      drop-down.
    As Traps log formats are updated, the updated log definitions will be available through content updates on Panorama.
    panorama_log_ingestion_profile.png
  2. Attach the log ingestion profile to a Collector Group.
    1. Select
      Panorama
      Collector Groups
      Log Ingestion
      and
      Add
      the log ingestion profile so that the Collector Group can receive logs from the ESM Server(s) listed in the profile.
      If you are enabling SSL for secure syslog communication between Panorama and the ESM Server(s), you must attach an certificate for secure Syslog communication between the ESM Servers and the Managed Collectors in the Collector Group. In
      Panorama
      Managed Collectors
      General
      , select the certificate to use for
      Inbound Certificate for Secure Syslog
      .
      CG_ingestion_profile.png
    2. Commit
      changes to Panorama and the Collector Group.
  3. Configure Panorama as a Syslog receiver on the ESM Server. Enter the
    Syslog Port
    you specified in the log ingestion profile on Panorama.
    esm_syslog.png
    For details on the other forwarding settings, refer to the Traps Administrator’s Guide.
  4. View ESM logs and correlated events on Panorama.
    1. Select
      Monitor
      External Logs
      Traps ESM
      to view the logs ingested in to Panorama.
      traps_logs.PNG
    2. Select
      Monitor
      Automated Correlation Engine
      Correlated Events
      to view correlated events that Panorama generates when a Traps agent and the firewall have observed command and control activity from one or more infected hosts on your network.
      esm_correlation_wfC2.PNG

Recommended For You