Configure Log Forwarding of Traps Logs

You can configure log forwarding to forward logs using Syslog to a SIEM for long term storage, SOC, or internal audit obligations, and forward email notifications for critical events to an email address. For both types of log forwarding, you can export all logs or a subset of logs based on log attributes such as Log Types (Threat, Config, System, or Analytics) or severity.
For each instance of the Cortex Data Lake, you deploy an instance of the Log Forwarding app and forward logs to a single syslog destination and email destination.
  1. To activate and configure the Log Forwarding app, ensure you have the appropriate role in the Hub.
    See Manage App Roles in the Hub Getting Started Guide.
  2. Add a Log Forwarding App Instance.
    Before you can use the Log Forwarding app, you must activate it. You can then add a Log Forwarding app instance to the Cloud Services Portal for each instance of the Cortex Data Lake you have purchased. Each instance of the Log Forwarding app can forward logs to a single destination and is associated with only one instance of the Cortex Data Lake.
  3. Configure the Log Forwarding app:
    • Forward Logs from the Logging Service to a Syslog Server—The Cortex Data Lake sends logs in the IETF syslog message format defined in RFC 5424. The communication between the Cortex Data Lake and the syslog destination uses syslog over TLS and upon connection, the Cortex Data Lake validates that the syslog receiver has a certificate signed by a trusted root certificate authority (CA). The Log Forwarding app does not support self-signed certificates.
    • Forward Logs from the Logging Service to an Email Server—To receive email notifications whenever critical issues occur on your network, you can configure the Log Forwarding app to send notifications to an email destination. The Log Forwarding app uses the Palo Alto Networks SMTP server to forward log information in an email format, and all emails are sent from noreply@cs.paloaltonetworks.com. The communication between the Log Forwarding app and the email destination uses SMTP over TLS, and SMTP server certificate is signed by a trusted root CA.

Related Documentation