Sort Logs by Device Group ID for External Logging
Focus
Focus

Sort Logs by Device Group ID for External Logging

Table of Contents

Sort Logs by Device Group ID for External Logging

To sort the logs manually by tenant in Panorama, select MonitorLogs and choose the Device Group associated with that tenant to display the logs for that device group. However, if you are forwarding your logs to an external device, you might have a need to sort those logs at the tenant level. To do so, find the device group ID in the logs that is associated with the device group and use that group ID-to-device group mapping to associate the logs with a tenant.
There are four fields associated with the device group in the logs: DG Hierarchy Level 1, DG Hierarchy Level 2, DG Hierarchy Level 3, and DG Hierarchy Level 4. These fields show the device group IDs in its hierarchy. The shared device group (level 0) is not included in this structure.
DG Hierarchy Level 1 refers to the first device group level in the hierarchy. If you added children or grandchildren device groups, the DG Hierarchy Level 2 through DG Hierarchy Level 4 fields show the hierarchy from the child group to the great-grandchild group, respectively.
To find logs by tenant, complete the following task.
  1. Find the device group IDs associated with the device group.
    • To find this information using a CLI command, log into Panorama as a superuser (admin-level user), enter the show readonly command in configuration mode, and view the values in the device-group heading. The IDs for the device groups display under the device group name. The following example shows that the device ID for the acme-sc device group is 20.
      Note that these device groups are at the first level in the hierarchy (DG Hierarchy Level 1); you use that information in the query in the next step.
      admin# show readonly
      ...
        device-group {
              acme-sc {
                id 20;
              }
              acme-rn {
                id 39;
              }
              acme-mu {
                id 40;
              }
              hooli-rn {
                id 56;
              }
              hooli-sc {
                id 57;
              }
              hooli-mu {
      
    • To use an API query, enter the following API command:
      /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
    For more information about using APIs with logs, see Retrieve Logs (API).
  2. Use the device group ID-to-device group name mapping to associate the logs with a tenant.
    The following example shows an administrator retrieving the logs for Acme using the Log Forwarding App to create a Syslog Forwarding Profile. Since the mapping example in Step 1 retrieves the device group-to-device ID of 20 for Acme and the hierarchy is at Level 1, you use that in the query, along with the following parameters:
    • A descriptive Name for the profile.
    • The Syslog Server IP address (you can also specify an FQDN).
    • The Port on which the server is listening.
      The default port for Syslog messages over TLS is 6514.
    • The Facility selected from the drop-down.
  3. Add the Forwarding parameters that select the logs you want to forward.
    The following example shows the administrator creating a Traffic log using a Custom filter with a Query that selects the logs for Acme, based on the hierarchy level (DG Hierarchy Level 1) and the device group (20) you retrieved in Step 1.