After you configure Log Collectors and firewalls, you must assign them to a Collector Group so that the firewalls can send logs to the Log Collectors. A Collector Group with multiple Log Collectors (the maximum is 16) has the following requirements:
All the Log Collectors in any particular Collector Group must be the same model, such as all M-100 appliances or all M-500 appliances. Log redundancy is available only if each Log Collector has the same number of logging disks. To add disks to a Log Collector, see Increase Storage on the M-Series Appliance.
Configure a Collector Group
Perform the following tasks before configuring the Collector Group. In these tasks, skip any steps that involve configuring or committing changes to the Collector Group; you will perform those steps later in the current procedure. Add a Firewall as a Managed Device for each firewall that you will assign to the Collector Group. ( Optional ) Configure Log Forwarding from Panorama to External Destinations. Configure a Managed Collector for each Log Collector (1 to 16) that you will assign to the Collector Group. You must manually add each Dedicated Log Collector (M-Series appliance in Log Collector mode). The M-Series appliance in Panorama mode has a predefined local Log Collector that you don’t need to add. If you will use SNMP for monitoring, select the SNMP service when you configure the Management interface of a Log Collector. Using SNMP requires additional steps besides configuring the Collector Group. For details, see Monitor Panorama and Log Collector Statistics Using SNMP.
Add the Collector Group. Access the Panorama web interface, select Panorama > Collector Groups, and Add a Collector Group or edit an existing one. The M-Series appliance in Panorama mode has a predefined Collector Group named default. In the General tab, enter a Name for the Collector Group if you are adding one. You cannot rename an existing Collector Group. Enter the Minimum Retention Period in days (1-2,000) for which the Collector Group will retain firewall logs. ( Optional ) Enable log redundancy across collectors to ensure that no logs are lost if any one Log Collector in the Collector Group becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. Redundancy is available only if each Log Collector has the same number of logging disks. Enabling redundancy creates more logs and therefore requires more storage capacity. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. If you add multiple Log Collectors to a single Collector group, enabling redundancy is a best practice.
( Optional ) Configure SNMP monitoring. Select the Monitoring tab, select the SNMP Version and enter the corresponding details: V2c —Enter the SNMP Community String, which identifies a community of SNMP managers and monitored devices (Log Collectors, in this case), and serves as a password to authenticate the community members to each other. Don’t use the default community string public ; it is well known and therefore not secure. V3 —Create at least one SNMP view group and one user. User accounts and views provide authentication, privacy, and access control when Log Collectors forward traps and SNMP managers get Log Collector statistics. Views—Each view is a paired OID and bitwise mask: the OID specifies a MIB and the mask (in hexadecimal format) specifies which objects are accessible within (include matching) or outside (exclude matching) that MIB. Click Add in the first list and enter a Name for the group of views. For each view in the group, click Add and configure the view Name, OID, matching Option ( include or exclude), and Mask. Users—Click Add in the second list, enter a username in the Users column, select the View group from the drop-down, enter the authentication password ( Auth Password) used to authenticate to the SNMP manager, and enter the privacy password ( Priv Password) used to encrypt SNMP messages to the SNMP manager.
Assign Log Collectors and firewalls to the Collector Group. Select the Device Log Forwarding tab. In the Collector Group Members section, Add the Log Collectors. All the Log Collectors in any particular Collector Group must be the same model: all M-100 appliances or all M-500 appliances. In the Log Forwarding Preferences section, click Add. In the Devices section, click Modify, select the firewalls, and click OK. You cannot assign PA-7000 Series firewalls to a Collector Group. However, when you monitor logs or generate reports for a device group that includes a PA-7000 Series firewall, Panorama queries the firewall in real-time to display its log data. In the Collectors section, Add the Log Collectors to which the firewalls will forward logs. If you assign multiple Log Collectors, the first one will be the primary; if the primary becomes unavailable, the firewalls send logs to the next Log Collector in the list. To change the priority of a Log Collector, select it and Move Up (higher priority) or Move Down (lower priority). Click OK.
Define the storage capacity (log quotas) and expiration period for each log type. Return to the General tab and click the Log Storage value. If the field displays 0MB, verify that you enabled the disk pairs for logging and committed the changes (see Configure a Managed Collector, Disks tab). Enter the log storage Quota(%) for each log type. Enter the Max Days (expiration period) for each log type (range is 1-2,000). By default, the fields are blank for all log types, which means the logs never expire.
( Optional ) Configure log forwarding from the Collector Group to external services. To perform this step, you must have added server profiles for the external services in the task Configure Log Forwarding from Panorama to External Destinations. In a high availability (HA) deployment, you can configure each Panorama HA peer to forward logs to different external services. For details, see Deploy Panorama with Default Log Collectors. Select the Collector Log Forwarding tab. For each log Severity level in the System, Threat, and Correlation tabs, click a cell in the SNMP Trap, Email Profile, or Syslog Profile column, and select the server profile. In the Config, HIP Match, and Traffic tabs, select the SNMP Trap, Email, or Syslog server profile. For each Verdict in the WildFire tab, click a cell in the SNMP Trap, Email Profile, or Syslog Profile column, and select the server profile. Click OK to save the Collector Group.
Commit the changes and verify that the Log Collectors you assigned to the Collector Group are connected to, and synchronized with, Panorama. Click Commit, for the Commit Type select Panorama, and click Commit again. Click Commit, for the Commit Type select Collector Group, select the Collector Group you added, and click Commit again. Select Panorama > Managed Collectors. The Connected column displays a check mark icon to indicate that a Log Collector is connected to Panorama. The Configuration Status column indicates whether the configurations you committed to Panorama and the Log Collectors are synchronized (green icon) or are not synchronized (red icon) with each other. The Collector Group won’t receive firewall logs until you Configure Log Forwarding to Panorama.

Related Documentation