Ingest Traps ESM Logs on Panorama

Visibility is a critical first step in preventing and reducing the impact of an attack. To help you meet this challenge, Panorama provides an integrated view of firewall logs (events on the network) and Traps™ ESM Server logs (security events on the endpoints) so that you can trace any suspicious or malicious activity.
For awareness and context on the events observed on the network and on your endpoints, forward security events that the Traps agents report to the ESM Server on to Panorama. Panorama can serve as a Syslog receiver that ingests these logs from the Traps ESM components using Syslog over TCP, UDP, or SSL. Then, Panorama can correlate discrete security events that occur on the endpoints with what’s happening on the network and generate match evidence. This evidence gives you more context on the chronology and flow of events to investigate issues and fix security gaps in your network.
  1. Define the log ingestion profile on Panorama and attach it to a Collector Group.
    Panorama virtual appliance in legacy mode cannot ingest Traps logs.
    1. Select
      Log Ingestion Profile
      , and click
    2. Enter a
      for the profile.
    3. Click
      and enter the details for the ESM Server. You can add up to four ESM Servers to a profile.
      1. Enter a
        Source Name
      2. Specify the
        on which Panorama will be listening for syslog messages. The range is 23000 to 23999.
      3. Select the
        layer protocol—TCP, UDP, or SSL.
      4. Select Traps_ESM for
        External Log type
        and your Traps ESM
        . For example, for Traps ESM 4.0 or 4.1, select
        As Traps log formats are updated, the updated log definitions will be available through content updates on Panorama.
    4. Select
      Collector Groups
      Log Ingestion
      the log ingestion profile so that the Collector Group can receive logs from the ESM Server(s) listed in the profile.
      If you are enabling SSL for secure syslog communication between Panorama and the ESM Server(s), you must attach a certificate to the Managed Collectors that belong to the Collector Group (
      Managed Collectors
      , and select the certificate to use for
      Inbound Certificate for Secure Syslog
    5. Commit
      changes to Panorama and the Collector Group.
  2. Configure Panorama as a Syslog receiver on the ESM Server.
    Traps ESM 4.0 and later supports log forwarding to both an external syslog receiver and Panorama. Because earlier Traps ESM releases do not support log forwarding to multiple syslog receivers, you must configure Panorama as a syslog receiver in the
    settings (for Traps ESM 3.4, see Enable Log Forwarding to an External Logging Platform).
    For Traps ESM 4.0 and later releases:
    1. From the ESM Console, select
      , and
      Enable log forwarding to Panorama
    2. Enter the Panorama hostname or IP address as the
      Panorama Server
      and the
      Panorama Server Port
      on which Panorama is listening. Repeat this step for an optional
      Panorama Failover Server
    3. Select the Transport layer
      Communication Protocol
      : TCP, TCP with SSL, or UDP. If you select TCP with SSL, the ESM Server requires a server certificate to enable client authentication.
      From Panorama, you must export the root CA certificate for the Inbound Certificate for Secure Syslog, and import the certificate in to the trusted root certificate store of the host on which you have installed the ESM Server.
  3. View ESM logs and correlated events.
    1. Select
      External Logs
      Traps ESM
      to view the logs ingested in to Panorama.
    2. Select
      Automated Correlation Engine
      Correlated Events
      , and filter on the
      Wildfire and Traps ESM Correlated C2
      correlation object name to find correlated events. Panorama generates correlated events when a host on your network exhibits command and control activity that matches the behavior observed for a malicious file in the WildFire virtual environment. This correlated event alerts you to suspicious activity that a Traps agent and the firewall have observed from one or more infected hosts on your network.

Recommended For You