By using an external logging platform—such as security
information and event management (SIEM) system or a syslog device—you
can view aggregated logs from the ESM Console and ESM Servers. You can
also configure the ESM to send logs to Panorama. The ability to
view Traps logs in the same context as the firewall logs allows
you to correlate discrete activity observed on the network and the
endpoints. Correlated events help you see the overall picture across
your network and the endpoints so that you can detect any risks
that evade detection or take advantage of blind spots, and strengthen
your security posture well before any damage occurs.
When enabled, the ESM component forwards reports about events
to the external logging platform in addition to storing logs internally.
The ESM component which forwards the logs varies depending on the
type of event. For example, if you monitor verdict changes, the
ESM Console sends logs when you override the verdict for a hash.
If WildFire changes the verdict, the ESM Server sends the logs.
You can also integrate your external logging platform with third-party
monitoring tools, such as Splunk, to analyze log data. Download
the Splunk app for Palo Alto Networks at https://apps.splunk.com/app/491.