Panorama > Log Settings

Use the Log Settings page to forward the following log types to external services:
  • System, Configuration, User-ID, and Correlation logs that the Panorama management server (M-Series appliance or Panorama virtual appliance in Panorama mode) generates locally.
  • Logs of all types that the Panorama virtual appliance in Legacy mode generates locally or collects from firewalls.
    For the logs that firewalls send to Log Collectors, complete the Log Collector Configuration to enable forwarding to external services.
Before starting, you must define server profiles for the external services (see Device > Server Profiles > SNMP Trap, Device > Server Profiles > Syslog, Device > Server Profiles > Email, and Device > Server Profiles > HTTP). Then Add one or more match list profiles and configure the settings as described in the following table.
Match List Profile Settings
Enter a name (up to 31 characters) to identify the match list profile.
By default, Panorama forwards All Logs of the type for which you are adding the match list profile. To forward a subset of the logs, open the drop-down and select an existing filter or select Filter Builder to add a new filter. For each query in a new filter, specify the following fields and Add the query:
  • Connector—Select the connector logic (and/or) for the query. Select Negate if you want to apply negation to the logic. For example, to avoid forwarding logs from an untrusted zone, select Negate, select Zone as the Attribute, select equal as the Operator, and enter the name of the untrusted Zone in the Value column.
  • Attribute—Select a log attribute. The options depend on the log type.
  • Operator—Select the criterion to determine whether the attribute applies (such as equal). The available options depend on the log type.
  • Value—Specify the attribute value for the query to match.
To display or export the logs that the filter matches, select View Filtered Logs. This tab provides the same options as the Monitoring tab pages (such as MonitoringLogsTraffic).
Enter a description of up to 1,024 characters to explain the purpose of this match list profile.
Add one or more SNMP Trap server profiles to forward logs as SNMP traps (see Device > Server Profiles > SNMP Trap).
Add one or more Email server profiles to forward logs as email notifications (see Device > Server Profiles > Email).
Add one or more Syslog server profiles to forward logs as syslog messages (see Device > Server Profiles > Syslog).
Add one or more HTTP server profiles to forward logs as HTTP requests (see Device > Server Profiles > HTTP).
Built-in Actions
All log types except System logs and Configuration logs allow you to configure actions.
  • Add an action and enter a name to describe it.
  • Select the IP address you want to tag—Source Address or Destination Address.
  • Select the action—Add Tag or Remove Tag.
  • Select whether to distribute the tag to the local User-ID agent on this device, or to a remote User-ID Agent.
  • To distribute tags to a Remote device User-ID Agent, select the HTTP server profile that will enable forwarding.
  • Configure the IP-Tag Timeout to set, in minutes, the amount of time that IP address-to-tag mapping is maintained. Setting the timeout to 0 means that the IP-Tag mapping does not timeout (range is 0 to 43200 (30 days); default is 0).
    You can only configure a timeout with the Add Tag action.
  • Enter or select the Tags you want to apply or remove from the target source or destination IP address. You can tag the source IP address only, in Correlation logs and HIP Match logs.

Related Documentation