Collector Group Configuration
To configure a Collector Group, click
Addand complete the following fields.
Collector Group Settings
Enter a name to identify this Collector Group (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Indicates the total storage quota for firewall logs that the Collector Group receives and the available space.
Click the storage quota link to set the storage
Quota(%)and expiration period (
Max Days) for the following log types:
To use the default settings, click
Min Retention Period (days)
Enter the minimum log retention period in days (1–2,000) that Panorama maintains across all Log Collectors in the Collector Group. If the current date minus the date of the oldest log is less than the defined minimum retention period, Panorama generates a System log as an alert violation.
Collector Group Members
Addthe Log Collectors that will be part of this Collector Group (up to 16). You can add any of the Log Collectors that are available in the
page. All the Log Collectors for any particular Collector Group must be the same model: all M-100 appliances, all M-500 appliances, or all Panorama virtual appliances.
After you add Log Collectors to an existing Collector Group, Panorama redistributes its existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the
page, the Log Redistribution State column indicates the completion status of the process as a percentage.
Enable log redundancy across collectors
If you select this option, each log in the Collector Group will have two copies and each copy will reside on a different Log Collector. This redundancy ensures that, if any one Log Collector becomes unavailable, no logs are lost: you can see all the logs forwarded to the Collector Group and run reports for all the log data. Log redundancy is available only if the Collector Group has multiple Log Collectors and each Log Collector has the same number of disks.
After you enable redundancy, Panorama redistributes the existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the
page, the Log Redistribution State column indicates the completion status of the process as a percentage. All the Log Collectors for any particular Collector Group must be the same model: all M-100 appliances: all M-500 appliances, or all Panorama virtual appliances.
Because enabling redundancy creates more logs, this configuration requires more storage capacity. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. (When a Collector Group runs out of space, it deletes older logs.)
Forward to all collectors in the preference list
PA-5200 Series and PA-7000 Series firewalls only) Select to send logs to every Log Collector in the preference list. Panorama uses round-robin load balancing to select which Log Collector receives the logs at any given moment. This is disabled by default: firewalls send logs only to the first Log Collector in the list unless that Log Collector becomes unavailable (see Devices / Collectors).
Enable Secure Inter LC Communication
Enables the use of custom certificates for mutual SSL authentication between Log Collectors in a Collector Group.
Specify the location of the Collector Group.
Specify an email contact (for example, the email address of the SNMP administrator who will monitor the Log Collectors).
Specify the SNMP version for communication with the Panorama management server:
SNMP enables you to collect information about Log Collectors, including connection status, disk drive statistics, software version, average CPU usage, average logs/second, and storage duration per log type. SNMP information is available on a per Collector Group basis.
SNMP Community String (
SNMP Community String, which identifies a community of SNMP managers and monitored devices (Log Collectors, in this case), and serves as a password to authenticate the community members to each other.
Don’t use the default community string public; it is well known and therefore not secure.
Adda group of SNMP views and, in
Views, enter a name for the group.
Each view is a paired object identifier (OID) and bitwise mask: the OID specifies a managed information base (MIB) and the mask (in hexadecimal format) specifies which SNMP objects are accessible within (include matching) or outside (exclude matching) that MIB.
For each view in the group,
Addthe following settings:
Addthe following settings for each SNMP user:
Devices / Collectors
Device Log Forwarding
The log forwarding preference list controls which firewalls forward logs to which Log Collectors. For each entry that you
Addto the list,
Modifythe Devices list to assign one or more firewalls and
Addone or more Log Collectors in the Collectors list.
By default, the firewalls you assign in a list entry will send logs only to the primary (first) Log Collector as long as it is available. If the primary Log Collector fails, the firewalls send logs to the secondary Log Collector. If the secondary fails, the firewalls send logs to the tertiary Log Collector, and so on. To change the order, select a Log Collector and click
Collector Log Forwarding
For each type of firewall log that you want to forward from this Collector Group to external services,
Addone or more match list profiles. The profiles specify which logs to forward and the destination servers. For each profile, complete the following:
View Filtered Logs. This tab provides the same options as the
Monitoringtab pages (such as