End-of-Life (EoL)
Configure Log Forwarding from Panorama to External Destinations
Panorama enables you to forward logs to external
services, including syslog, email, SNMP trap, and HTTP-based services.
Using an external service enables you to receive alerts for important
events, archive monitored information on systems with dedicated
long-term storage, and integrate with third-party security monitoring
tools. In addition to forwarding firewall logs, you can forward
the logs that the Panorama management server and Log Collectors
generate. The Panorama management server or Log Collector that forwards
the logs converts them to a format that is appropriate for the destination
(syslog message, email notification, SNMP trap, or HTTP payload).
If
your Panorama management server is a Panorama virtual appliance
in Legacy mode, it converts and forwards logs to external services
without using Log Collectors.
You can also forward logs directly
from firewalls to external services: see Log
Forwarding Options.
On a Panorama virtual appliance
running Panorama 5.1 or earlier releases, you can use Secure Copy (SCP) commands from the CLI to
export the entire log database to an SCP server and import it to
another Panorama virtual appliance. A Panorama virtual appliance
running Panorama 6.0 or later releases, and M-Series appliances
running any release, do not support these options because the log
database on those models is too large for an export or import to
be practical.
To forward logs to external services,
start by configuring the firewalls to forward logs to Panorama.
Then you must configure the server profiles that define how Panorama
and Log Collectors connect to the services. Lastly, you assign the
server profiles to the log settings of Panorama and to Collector
Groups.
- Configure the firewalls to forward logs to Panorama.
- Configure a server profile for each external service that will receive log information.
- Selectand select the type of server that will receive the log data:PanoramaServer ProfilesSNMP Trap,Syslog,Email, orHTTP.
- Configure the server profile:
- Configure an SNMP Trap server profile. For details on how SNMP works for Panorama and Log Collectors, refer to SNMP Support.
- Configure a Syslog server profile. If the syslog server requires client authentication, use thepage to create a certificate for securing syslog communication over SSL.PanoramaCertificate ManagementCertificates
- Configure destinations for:
- Logs that the Panorama management server and Log Collectors generate.
- Firewall logs that a Panorama virtual appliance in Legacy mode collects.
- Select.PanoramaLog Settings
- Addone or more match list profiles for each log type.The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
- Enter aNameto identify the profile.
- Select theLog Type.
- In theFilterdrop-down, selectFilter Builder. Specify the following and thenAddeach query:Connectorlogic (and/or)LogAttributeOperatorto define inclusion or exclusion logicAttributeValuefor the query to match
- Addthe server profiles you configured for each external service.
- ClickOKto save the profile.
- Configure destinations for firewall logs that Log Collectors receive.Each Collector Group can forward logs to different destinations. If the Log Collectors are local to a high availability (HA) pair of Panorama management servers, you must log into each HA peer to configure log forwarding for its Collector Group.
- Selectand edit the Collector Group that receives the firewall logs.PanoramaCollector Groups
- (Optional, SNMP trap forwarding only) SelectMonitoringand configure the SNMP settings.
- SelectCollector Log ForwardingandAddconfigured match list profiles as necessary.
- ClickOKto save your changes to the Collector Group.
- (Syslog forwarding only) If the syslog server requires client authentication and the firewalls forward logs to Dedicated Log Collectors, assign a certificate that secures syslog communication over SSL.Perform the following steps for each Dedicated Log Collector:
- Selectand edit the Log Collector.PanoramaManaged Collectors
- Select theCertificate for Secure Syslogand clickOK.
- (SNMP trap forwarding only) Enable your SNMP manager to interpret traps.Load the Supported MIBs and, if necessary, compile them. For the specific steps, refer to the documentation of your SNMP manager.
- Commit and verify your configuration changes.
- Selectto commit your changes to Panorama and push the changes to device groups, templates, and Collector Groups.CommitCommit and Push
- Verify that the external services are receiving the log information:
- Email server—Verify that the specified recipients are receiving logs as email notifications.
- Syslog server—Refer to the documentation for your syslog server to verify it’s receiving logs as syslog messages.
- SNMP manager—Refer to the documentation for your SNMP trap server to verify it’s receiving logs as SNMP traps.
- HTTP server—Verify that the HTTP-based server is receiving logs in the correct payload format.
Recommended For You
Recommended Videos
Recommended videos not found.