Local and Distributed Log Collection

Before you Configure Log Forwarding to Panorama, you must decide whether to use local Log Collectors, Dedicated Log Collectors, or both.
A local Log Collector is easy to deploy because it requires no additional hardware or virtual machine instance. In a high availability (HA) configuration, you can send logs to the local Log Collector on both Panorama peers; the passive Panorama doesn’t wait for failover to start collecting logs.
For local log collection, you can also forward logs to a Panorama virtual appliance in Legacy mode, which stores the logs without using a Log Collector as a logical container.
Dedicated Log Collectors are M-500 or M-100 appliances in Log Collector mode. Because they perform only log collection, not firewall management, Dedicated Log Collectors allow for a more robust environment than local Log Collectors. Dedicated Log Collectors provide the following benefits:
  • Enable the Panorama management server to use more resources for management functions instead of logging.
  • Provide high-volume log storage on a dedicated hardware appliance.
  • Enable higher logging rates.
  • Provide horizontal scalability and redundancy with RAID 1 storage.
  • Optimize bandwidth resources in networks where more bandwidth is available for firewalls to send logs to nearby Log Collectors than to a remote Panorama management server.
  • Enable you to meet regional regulatory requirements (for example, regulations might not allow logs to leave a particular region).
Distributed Log Collection illustrates a topology in which the Panorama peers in an HA configuration manage the deployment and configuration of firewalls and Dedicated Log Collectors.
You can deploy the Panorama management server in an HA configuration but not the Dedicated Log Collectors.
Distributed Log Collection
Panorama_Distributed_LC_Deployment.png

Related Documentation