The following topics describe how to configure log collection in the most typical deployments.
The deployments in these topics all describe Panorama in a high availability (HA) configuration. Palo Alto Networks recommends HA because it enables automatic recovery (in case of server failure) of components that are not saved as part of configuration backups. In HA deployments, the Panorama management server only supports an active/passive configuration.
Plan a Log Collection Deployment
Panorama and Log Collector s
Decide which Panorama Platforms to use for the Panorama management server and Log Collectors based on the geographic distribution of managed firewalls, logging rate, and log retention requirements.
If you initially implement log collection using the default Log Collectors but later require more storage or higher logging rates than these support, you can switch to a deployment with Dedicated Log Collectors (M-Series appliances in Log Collector mode). You can also implement a hybrid deployment that includes both default and Dedicated Log Collectors. However, if you initially implement log collection using Dedicated Log Collectors, you will lose logs if you later switch to a deployment that involves only the default Log Collectors because of the reduced storage capacity.
If you deploy firewalls remotely, consider the bandwidth requirement for the connection between the firewalls and Panorama, in addition to whether Panorama supports the required logging rate. Deploying Dedicated Log Collectors close to the firewalls can increase the bandwidth for log forwarding.
The following table summarizes your choice of Log Collector when considering the rate at which it receives firewall logs.
Logging Rate Log Collector
Up to 10,000 logs/second Depends on the Panorama management server: Virtual appliance—Panorama collects logs without any Log Collector. Panorama running on VMware vCloud Air or ESXi 5.5 and later versions can support a virtual disk of up to 8TB. Earlier versions of the ESXi server support a virtual disk of up to 2TB. You can add an NFS datastore for more than 8TB of storage. M-Series appliance—Local predefined (default) Log Collector. Each M-100 appliance can store up to 4TB of log data; each M-500 appliance can store up to 8TB of log data.
Up to 30,000 logs/second M-100 appliance in Log Collector Mode. Each M-100 appliance can process up to 30,000 logs/second and store up to 4TB of log data.
Up to 60,000 logs/second M-500 appliance in Log Collector Mode. Each M-500 appliance can process up to 60,000 logs/second and store up to 8TB of log data.
Collector Groups with Single or Multiple Log Collectors
You can configure a Collector Group with multiple Log Collectors to ensure log redundancy, increase the log retention period, or accommodate logging rates that exceed the capacity of a single Log Collector (see Panorama Platforms for capacity information). To understand the requirements, risks and recommended mitigations, see Caveats for a Collector Group with Multiple Log Collectors.
All the Log Collectors in any particular Collector Group must be the same models, such as all M-500 appliances or all M-100 appliances. Log redundancy is available only if each Log Collector has the same number of logging disks.
Log Forwarding Options
By default, each firewall stores its log files locally. To use Panorama for centralized log monitoring and report generation, you must Configure Log Forwarding to Panorama. You can also Configure Log Forwarding from Panorama to External Destinations for archiving, notification, or analysis. When forwarding from Panorama, you can include the System and Config logs that Panorama and its Log Collectors generate. External services include syslog servers, email servers, or SNMP trap servers. The firewall, Panorama virtual appliance, or M-Series appliance that forwards the logs to external services converts the logs to the appropriate format (syslog message, email notification, or SNMP trap).
Palo Alto Networks firewalls and Panorama support the following log forwarding options:
Forward logs from firewalls to Panorama and from Panorama to external services—This configuration is best for deployments in which the connections between firewalls and external services have insufficient bandwidth to sustain the logging rate, which is often the case when the connections are remote. This configuration improves firewall performance by offloading some processing to Panorama.
You can configure each Collector Group to forward logs to different destinations.
Figure: Log Forwarding to Panorama and then to External Services
Forward logs from firewalls to Panorama and to external services in parallel—In this configuration, both Panorama and the external services are endpoints of separate log forwarding flows; the firewalls don’t rely on Panorama to forward logs to external services. This configuration is best for deployments in which the connections between firewalls and external services have sufficient bandwidth to sustain the logging rate, which is often the case when the connections are local.
Figure: Log Forwarding to External Services and Panorama in Parallel
Forward logs from firewalls directly to external services and also from Panorama to external services—This configuration is a hybrid of the previous two and is best for deployments that require sending syslog messages to multiple Security Information and Event Management (SIEM) solutions, each with its own message format (for example, Splunk and ArcSight). This duplicate forwarding doesn’t apply to SNMP traps or email notifications.

Related Documentation