Sort Logs by Device Group ID for External Logging

To sort the logs manually by tenant in Panorama, select
and choose the
Device Group
associated with that tenant to display the logs for that device group. However, if you are forwarding your logs to an external device, you might have a need to sort those logs at the tenant level. To do so, find the device group ID in the logs that is associated with the device group and use that group ID-to-device group mapping to associate the logs with a tenant.
There are four fields associated with the device group in the logs:
DG Hierarchy Level 1
DG Hierarchy Level 2
DG Hierarchy Level 3
, and
DG Hierarchy Level 4
. These fields show the device group IDs in its hierarchy. The shared device group (level 0) is not included in this structure.
DG Hierarchy Level 1
refers to the first device group level in the hierarchy. If you added children or grandchildren device groups, the
DG Hierarchy Level 2
DG Hierarchy Level 4
fields show the hierarchy from the child group to the great-grandchild group, respectively.
To find logs by tenant, complete the following task.
  1. Find the device group IDs associated with the device group.
    • To find this information using a CLI command, log into Panorama as a superuser (admin-level user), enter the
      show readonly
      command in configuration mode, and view the values in the
      heading. The IDs for the device groups display under the device group name. The following example shows that the device ID for the
      device group is
      Note that these device groups are at the first level in the hierarchy (
      DG Hierarchy Level 1
      ); you use that information in the query in the next step.
      admin# show readonly ... device-group { acme-sc { id 20; } acme-rn { id 39; } acme-mu { id 40; } hooli-rn { id 56; } hooli-sc { id 57; } hooli-mu {
    • To use an API query, enter the following API command:
    For more information about using APIs with logs, see Retrieve Logs (API).
  2. Use the device group ID-to-device group name mapping to associate the logs with a tenant.
    The following example shows an administrator retrieving the logs for Acme using the Log Forwarding App to create a Syslog Forwarding Profile. Since the mapping example in Step 1 retrieves the device group-to-device ID of 20 for Acme and the hierarchy is at Level 1, you use that in the query, along with the following parameters:
    • A descriptive
      for the profile.
    • The
      Syslog Server
      IP address (you can also specify an FQDN).
    • The
      on which the server is listening.
      The default port for Syslog messages over TLS is 6514.
    • The
      selected from the drop-down.
  3. Add
    parameters that select the logs you want to forward.
    The following example shows the administrator creating a
    log using a
    filter with a
    that selects the logs for Acme, based on the hierarchy level (
    DG Hierarchy Level 1
    ) and the device group (20) you retrieved in Step 1.

Recommended For You