If you want a dedicated appliance for log collection, configure an M-100 or M-500 appliance in Log Collector mode. To do this, you first perform the initial configuration of the appliance in Panorama mode, which includes licensing, installing software and content updates, and configuring the management (MGT) interface. You then switch the M-100 or M-500 appliance to Log Collector mode and complete the Log Collector configuration. Additionally, if you want to use dedicated interfaces (recommended) instead of the MGT interface for log collection and Collector Group communication, you must first configure the interfaces for the Panorama management server, then configure them for the Log Collector, and then perform a Panorama commit followed by a Collector Group commit.
Perform the following steps to set up a new M-Series appliance as a Log Collector or to convert an existing M-Series appliance that was previously deployed as a Panorama management server.
Switching the M-Series appliance from Panorama mode to Log Collector mode reboots the appliance, deletes any existing log data, and deletes all configurations except the management access settings. Switching the mode does not delete licenses, software updates, or content updates.
Set up the M-100 or M-500 Appliance as a Log Collector
Set up the Panorama management server that will manage the Log Collector if you have not already done so. Perform one of the following tasks: Set Up the Panorama Virtual Appliance Set Up the M-Series Appliance
Record the management IP addresses of the Panorama management server. If you deployed Panorama in a high availability (HA) configuration, you need the IP address of each HA peer. Log in to the web interface of the Panorama management server. Record the IP Address of the solitary (non-HA) or active (HA) Panorama by selecting Panorama > Setup > Management and checking the Management Interface Settings. For an HA deployment, record the Peer HA IP Address of the passive Panorama by selecting Panorama > High Availability and checking the Setup section.
Set up the M-Series appliance that will serve as a Dedicated Log Collector. If you previously deployed this appliance as a Panorama management server, you can skip this step because the MGT interface is already configured and the licenses and updates are already installed. The M-Series appliance in Log Collector mode does not have a web interface for configuration tasks, only a CLI. Therefore, before changing the mode on the M-Series appliance, use the web interface in Panorama mode to: Perform Initial Configuration of the M-Series Appliance. Register Panorama and Install Licenses. Install Content and Software Updates for Panorama.
Access the CLI of the M-Series appliance. Connect to the M-Series appliance in one of the following ways: Attach a serial cable from your computer to the Console port on the M-Series appliance. Then use terminal emulation software (9600-8-N-1) to connect. Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the MGT interface of the M-Series appliance during initial configuration. Log in to the CLI when prompted. Use the default admin account and the password that you specified during initial configuration.
Switch from Panorama mode to Log Collector mode. Switch to Log Collector mode by entering the following command: > request system system-mode logger Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M-Series appliance to see the Panorama login prompt. If you see a CMS Login prompt, this means the Log Collector has not finished rebooting. Press Enter at the prompt without typing a username or password. Log back in to the CLI. Verify that the switch to Log Collector mode succeeded: > show system info | match system-mode If the mode change succeeded, the output displays: system-mode: logger
Configure the logging disks as RAID1 pairs. If you previously deployed the appliance as a Panorama management server, you can skip this step because the disk pairs are already configured and available. The time required to configure the drives varies from several minutes to a couple of hours, based on the amount of data on the drives. Determine which disk pairs are present for configuring as RAID pairs on the M-Series appliance: > show system raid detail Perform the remaining steps to configure each disk pair that has present disks. This example uses disk pair A1/A2. To add the first disk in the pair, enter the following command and enter y when prompted to confirm the request: > request system raid add A1 Wait for the process to finish before adding the next disk in the pair. To monitor the progress of the RAID configuration, re-enter: > show system raid detail After the process finishes for the first disk, the output displays the disk pair status as Available but degraded . Add the second disk in the pair: > request system raid add A2 Verify that the disk setup is complete: > show system raid detail After the process finishes for the second disk, the output displays the disk pair status as Available and clean : Disk Pair A Available Status clean
Record the serial number of the Log Collector. You need the serial number to add the Log Collector as a managed collector on the Panorama management server. At the Log Collector CLI, enter the following command to display its serial number. > show system info | match serial Record the serial number.
Add the Log Collector as a managed collector to the Panorama management server. Select Panorama > Managed Collectors and Add a managed collector. In the General tab, enter the serial number ( Collector S/N) you recorded for the Log Collector. In the Panorama Server IP field, enter the IP address or FQDN of the solitary (non-HA) or active (HA) Panorama. For HA deployments, enter the IP address or FQDN of the passive Panorama peer in the Panorama Server IP 2 field. Select Management and configure one or both of the following field sets for the MGT interface based on the IP protocols of your network. IPv4— IP Address, Netmask, and Default Gateway IPv6— IPv6 Address/Prefix Length and Default IPv6 Gateway Click OK and Commit, set the Commit Type to Panorama, and click Commit again. This step is required before you can enable logging disks. Verify that the Panorama > Managed Collectors page lists the Log Collector you added. The Connected column displays a check mark to indicate that the Log Collector is connected to Panorama. You might have to wait a few minutes before the page displays the updated connection status. At this point, the Configuration Status column displays Out of Sync and the Run Time Status column displays disconnected. The status will change to In Sync and connected after you configure a Collector Group ( Step 12).
Enable connectivity between the Log Collector and Panorama management server. Enter the following commands at the Log Collector CLI, where <IPaddress1> is for the MGT interface of the solitary (non-HA) or active (HA) Panorama and <IPaddress2> is for the MGT interface of the passive (HA) Panorama, if applicable. > configure # set deviceconfig system panorama-server <IPaddress1> panorama-server-2 <IPaddress2> # commit # exit
Enable the logging disks. Select Panorama > Managed Collectors and edit the Log Collector. Select Disks and Add each RAID disk pair. Click OK and Commit, set the Commit Type to Panorama, and click Commit again.
( Optional ) Configure the Eth1 and/or Eth2 interfaces if the Panorama management server and Log Collector will use them for log collection and Collector Group communication. If you previously deployed the Log Collector as a Panorama management server and configured the Eth1 and/or Eth2 interfaces, you must reconfigure those interfaces because switching to Log Collector mode ( Step 5) would have deleted all configurations except the management access settings. Palo Alto Networks recommends using Eth1 and/or Eth2 to reduce the traffic load on the MGT interface and to improve security for management traffic. Configure Eth1 and/or Eth2 on the Panorama management server if you haven’t already: Select Panorama > Setup > Management. Edit the Eth1 Interface Settings and/or Eth2 Interface Settings. For each interface, complete one or both of the following field sets based on the IP protocols of your network: IPv4— IP Address, Netmask, and Default Gateway IPv6— IPv6 Address/Prefix Length and Default IPv6 Gateway Click OK to save your changes. Configure Eth1 and/or Eth2 on the Log Collector: Select Panorama > Managed Collectors and edit the Log Collector. Configure the network settings of the Eth1 and/or Eth2 interfaces. For each interface, select the corresponding tab and configure one or both of the following field sets based on the IP protocols of your network. IPv4— IP Address, Netmask, and Default Gateway IPv6— IPv6 Address/Prefix Length and Default IPv6 Gateway Click OK and Commit, set the Commit Type to Panorama, and click Commit again. This step is required before you can assign the Eth1 and Eth2 interfaces to logging functions. Select the interfaces (MGT, Eth1, or Eth2) that the Log Collector will use for Device Log Collection and Collector Group Communication (default is MGT). Click OK to save your changes.
Assign the Log Collector to a Collector Group. Configure a Collector Group. You must perform a Panorama commit and then a Collector Group commit to synchronize the Log Collector configuration with Panorama and to put the Eth1 and Eth2 interfaces (if you configured them) in an operational state on the Log Collector. All the Log Collectors for any particular Collector Group must be the same model: such as all M-100 appliances or all M-500 appliances. If you Enable log redundancy across collectors in the Collector Group, then each Log Collector also requires the same number of disks. Select Panorama > Managed Collectors to verify that the Log Collector configuration is synchronized with Panorama. The Configuration Status column should display In Sync and the Run Time Status column should display connected. Access the Log Collector CLI and enter the following command to verify that its interfaces are operational: > show interface all The output displays the state as up for each interface that is operational. If the Collector Group has multiple Log Collectors, verify they can communicate with each other by running the following command for each interface that the Log Collectors use (MGT, Eth1, and/or Eth2). For the source IP address, specify the interface of the Log Collector on which you run the command. For the host IP address, specify the matching interface of another Log Collector in the same Collector Group. > ping source <IP-address> host <IP-address> For example, if a Collector Group contains Log Collector A with an MGT interface set to 192.0.2.1 and Log Collector B with an MGT interface set to 192.0.2.2, log in to Log Collector A and enter: > ping source 192.0.2.1 host 192.0.2.2 If the Log Collectors can communicate over their MGT interfaces, the output displays: PING 192.0.2.2 (192.0.2.2) from 192.0.2.1 : 56(84) bytes of data.
Next steps... To enable the Log Collector to receive firewall logs: Configure Log Forwarding to Panorama. Verify Log Forwarding to Panorama.

Related Documentation