Collector Group Configuration
To configure a Collector Group, click Add and complete the following fields.
Collector Group Settings
Enter a name to identify this Collector Group (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Indicates the total storage quota for firewall logs that the Collector Group receives and the available space.
Click the storage quota link to set the storage Quota(%) and expiration period (Max Days) for the following log types:
To use the default settings, click Restore Defaults.
Min Retention Period (days)
Enter the minimum log retention period in days (1–2,000) that Panorama maintains across all Log Collectors in the Collector Group. If the current date minus the date of the oldest log is less than the defined minimum retention period, Panorama generates a System log as an alert violation.
Collector Group Members
Add the Log Collectors that will be part of this Collector Group (up to 16). You can add any of the Log Collectors that are available in the PanoramaManaged Collectors page. All the Log Collectors for any particular Collector Group must be the same model: for example, all M-500 appliances or all Panorama virtual appliances.
After you add Log Collectors to an existing Collector Group, Panorama redistributes its existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the PanoramaCollector Groups page, the Log Redistribution State column indicates the completion status of the process as a percentage.
Enable log redundancy across collectors
If you select this option, each log in the Collector Group will have two copies and each copy will reside on a different Log Collector. This redundancy ensures that, if any one Log Collector becomes unavailable, no logs are lost: you can see all the logs forwarded to the Collector Group and run reports for all the log data. Log redundancy is available only if the Collector Group has multiple Log Collectors and each Log Collector has the same number of disks.
After you enable redundancy, Panorama redistributes the existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the PanoramaCollector Groups page, the Log Redistribution State column indicates the completion status of the process as a percentage. All the Log Collectors for any particular Collector Group must be the same model: for example, all M-500 appliances or all Panorama virtual appliances.
Because enabling redundancy creates more logs, this configuration requires more storage capacity. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. (When a Collector Group runs out of space, it deletes older logs.)
Forward to all collectors in the preference list
(PA-5200 Series and PA-7000 Series firewalls only) Select to send logs to every Log Collector in the preference list. Panorama uses round-robin load balancing to select which Log Collector receives the logs at any given moment. This is disabled by default: firewalls send logs only to the first Log Collector in the list unless that Log Collector becomes unavailable (see Devices / Collectors).
|Enable Secure Inter LC Communication||Enables the use of custom certificates for mutual SSL authentication between Log Collectors in a Collector Group.|
Specify the location of the Collector Group.
Specify an email contact (for example, the email address of the SNMP administrator who will monitor the Log Collectors).
Specify the SNMP version for communication with the Panorama management server: V2c or V3.
SNMP enables you to collect information about Log Collectors, including connection status, disk drive statistics, software version, average CPU usage, average logs/second, and storage duration per log type. SNMP information is available on a per Collector Group basis.
SNMP Community String (V2c only)
Enter the SNMP Community String, which identifies a community of SNMP managers and monitored devices (Log Collectors, in this case), and serves as a password to authenticate the community members to each other.
Don’t use the default community string public; it is well known and therefore not secure.
Views (V3 only)
Add a group of SNMP views and, in Views, enter a name for the group.
Each view is a paired object identifier (OID) and bitwise mask: the OID specifies a managed information base (MIB) and the mask (in hexadecimal format) specifies which SNMP objects are accessible within (include matching) or outside (exclude matching) that MIB.
For each view in the group, Add the following settings:
Users (V3 only)
Add the following settings for each SNMP user:
Devices / Collectors
PanoramaCollector GroupsDevice Log Forwarding
The log forwarding preference list controls which firewalls forward logs to which Log Collectors. For each entry that you Add to the list, Modify the Devices list to assign one or more firewalls and Add one or more Log Collectors in the Collectors list.
By default, the firewalls you assign in a list entry will send logs only to the primary (first) Log Collector as long as it is available. If the primary Log Collector fails, the firewalls send logs to the secondary Log Collector. If the secondary fails, the firewalls send logs to the tertiary Log Collector, and so on. To change the order, select a Log Collector and click Move Up or Move Down.
PanoramaCollector GroupsCollector Log Forwarding
For each type of firewall log that you want to forward from this Collector Group to external services, Add one or more match list profiles. The profiles specify which logs to forward and the destination servers. For each profile, complete the following:
PanoramaCollector GroupsLog Ingestion
Add one or more log ingestion profiles that allow Panorama to receive logs from the Traps ESM server. To configure a new log ingestion profile, see Panorama > Log Ingestion Profile.
Move a Log Collector to a Different Collector Group
Move a Log Collector to a Different Collector Group M-600, M-500, M-200, M-100 and Panorama virtual appliances can have one or more Log Collectors in ...
Configure a Collector Group
Configure a Collector Group Before configuring Collector Groups , decide whether each one will have a single Log Collector or multiple Log Collectors (up to ...
Deploy Panorama M-Series Appliances with Local Log Collecto...
Deploy Panorama M-Series Appliances with Local Log Collectors The following figures illustrate Panorama in a centralized log collection deployment. In these examples, the Panorama management ...
Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode
Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode If you forward firewall logs to the local Log Collectors on an ...
Monitor Panorama and Log Collector Statistics Using SNMP
Monitor Panorama and Log Collector Statistics Using SNMP You can configure an SNMP manager to request information from a Panorama management server and configure Panorama ...
Deploy Panorama with Dedicated Log Collectors
Deploy Panorama with Dedicated Log Collectors The following figures illustrate Panorama in a distributed log collection deployment. In these examples, the Panorama management server comprises ...
Managed Collectors and Collector Groups
Managed Collectors and Collector Groups Panorama uses Log Collectors to aggregate logs from managed firewalls. When generating reports, Panorama queries the Log Collectors for log ...
Caveats for a Collector Group with Multiple Log Collectors
Caveats for a Collector Group with Multiple Log Collectors You can Configure a Collector Group with multiple Log Collectors (up to 16) to ensure log ...
Collector Group Information
Collector Group Information Select Panorama Collector Groups to display the following information for Collector Groups. Additional fields are configurable after you complete the Log Collector ...