1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Log Collection
    5. Configure Log Forwarding from Panorama to External Destinations
    End-of-Life (EoL)

    Configure Log Forwarding from Panorama to External Destinations

    Panorama enables you to forward logs to external services, including syslog, email, SNMP trap, and HTTP-based services. Using an external service enables you to receive alerts for important events, archive monitored information on systems with dedicated long-term storage, and integrate with third-party security monitoring tools. In addition to forwarding firewall logs, you can forward the logs that the Panorama management server and Log Collectors generate. The Panorama management server or Log Collector that forwards the logs converts them to a format that is appropriate for the destination (syslog message, email notification, SNMP trap, or HTTP payload).
    If your Panorama management server is a Panorama virtual appliance in Legacy mode, it converts and forwards logs to external services without using Log Collectors.
    You can also forward logs directly from firewalls to external services: see Log Forwarding Options.
    On a Panorama virtual appliance running Panorama 5.1 or earlier releases, you can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another Panorama virtual appliance. A Panorama virtual appliance running Panorama 6.0 or later releases, and M-Series appliances running any release, do not support these options because the log database on those models is too large for an export or import to be practical.
    To forward logs to external services, start by configuring the firewalls to forward logs to Panorama. Then you must configure the server profiles that define how Panorama and Log Collectors connect to the services. Lastly, you assign the server profiles to the log settings of Panorama and to Collector Groups.
    1. Configure the firewalls to forward logs to Panorama.
    2. Configure a server profile for each external service that will receive log information.
      1. Select
        Panorama
        Server Profiles
         and select the type of server that will receive the log data:
        SNMP Trap
        ,
        Syslog
        ,
        Email
        , or
        HTTP
        .
      2. Configure the server profile:
    3. Configure destinations for:
      • Logs that the Panorama management server and Log Collectors generate.
      • Firewall logs that a Panorama virtual appliance in Legacy mode collects.
      1. Select
        Panorama
        Log Settings
        .
      2. Add
         one or more match list profiles for each log type.
        The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
        1. Enter a
          Name
           to identify the profile.
        2. Select the
          Log Type
          .
        3. In the
          Filter
           drop-down, select
          Filter Builder
          . Specify the following and then
          Add
           each query:
          Connector
           logic (and/or)
          Log
          Attribute
          Operator
           to define inclusion or exclusion logic
          Attribute
          Value
           for the query to match
        4. Add
           the server profiles you configured for each external service.
        5. Click
          OK
           to save the profile.
    4. Configure destinations for firewall logs that Log Collectors receive.
      Each Collector Group can forward logs to different destinations. If the Log Collectors are local to a high availability (HA) pair of Panorama management servers, you must log into each HA peer to configure log forwarding for its Collector Group.
      1. Select
        Panorama
        Collector Groups
         and edit the Collector Group that receives the firewall logs.
      2. (
        Optional, SNMP trap forwarding only
        ) Select
        Monitoring
         and configure the SNMP settings.
      3. Select
        Collector Log Forwarding
         and
        Add
        configured match list profiles as necessary.
      4. Click
        OK
         to save your changes to the Collector Group.
    5. (
      Syslog forwarding only
      ) If the syslog server requires client authentication and the firewalls forward logs to Dedicated Log Collectors, assign a certificate that secures syslog communication over SSL.
      Perform the following steps for each Dedicated Log Collector:
      1. Select
        Panorama
        Managed Collectors
         and edit the Log Collector.
      2. Select the
        Certificate for Secure Syslog
         and click
        OK
        .
    6. (
      SNMP trap forwarding only
      ) Enable your SNMP manager to interpret traps.
      Load the Supported MIBs and, if necessary, compile them. For the specific steps, refer to the documentation of your SNMP manager.
    7. Commit and verify your configuration changes.
      1. Select
        Commit
        Commit and Push
         to commit your changes to Panorama and push the changes to device groups, templates, and Collector Groups.
      2. Verify that the external services are receiving the log information:
        • Email server
          —Verify that the specified recipients are receiving logs as email notifications.
        • Syslog server
          —Refer to the documentation for your syslog server to verify it’s receiving logs as syslog messages.
        • SNMP manager
          —Refer to the documentation for your SNMP trap server to verify it’s receiving logs as SNMP traps.
        • HTTP server
          —Verify that the HTTP-based server is receiving logs in the correct payload format.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo