Sort Logs by Device Group ID for External Logging

To sort the logs manually by tenant in Panorama, select
Monitor
Logs
and choose the
Device Group
associated with that tenant to display the logs for that device group. However, if you are forwarding your logs to an external device, you might have a need to sort those logs at the tenant level. To do so, find the device group ID in the logs that is associated with the device group and use that group ID-to-device group mapping to associate the logs with a tenant.
There are four fields associated with the device group in the logs:
DG Hierarchy Level 1
,
DG Hierarchy Level 2
,
DG Hierarchy Level 3
, and
DG Hierarchy Level 4
. These fields show the device group IDs in its hierarchy. The shared device group (level 0) is not included in this structure.
DG Hierarchy Level 1
refers to the first device group level in the hierarchy. If you added children or grandchildren device groups, the
DG Hierarchy Level 2
through
DG Hierarchy Level 4
fields show the hierarchy from the child group to the great-grandchild group, respectively.
To find logs by tenant, complete the following task.
  1. Find the device group IDs associated with the device group.
    • To find this information using a CLI command, log into Panorama as a superuser (admin-level user), enter the
      show readonly
      command in configuration mode, and view the values in the
      device-group
      heading. The IDs for the device groups display under the device group name. The following example shows that the device ID for the
      acme-sc
      device group is
      20
      .
      Note that these device groups are at the first level in the hierarchy (
      DG Hierarchy Level 1
      ); you use that information in the query in the next step.
      admin# show readonly ... device-group { acme-sc { id 20; } acme-rn { id 39; } acme-mu { id 40; } hooli-rn { id 56; } hooli-sc { id 57; } hooli-mu {
    • To use an API query, enter the following API command:
      /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
    For more information about using APIs with logs, see Retrieve Logs (API).
  2. Use the device group ID-to-device group name mapping to associate the logs with a tenant.
    The following example shows an administrator retrieving the logs for Acme using the Log Forwarding App to create a Syslog Forwarding Profile. Since the mapping example in Step 1 retrieves the device group-to-device ID of 20 for Acme and the hierarchy is at Level 1, you use that in the query, along with the following parameters:
    • A descriptive
      Name
      for the profile.
    • The
      Syslog Server
      IP address (you can also specify an FQDN).
    • The
      Port
      on which the server is listening.
      The default port for Syslog messages over TLS is 6514.
    • The
      Facility
      selected from the drop-down.
    multi-tenant-sort-logging-2.png
  3. Add
    the
    Forwarding
    parameters that select the logs you want to forward.
    The following example shows the administrator creating a
    Traffic
    log using a
    Custom
    filter with a
    Query
    that selects the logs for Acme, based on the hierarchy level (
    DG Hierarchy Level 1
    ) and the device group (20) you retrieved in Step 1.
    multi-tenant-sort-logging-1.png

Recommended For You