: Configure Log Forwarding from Panorama to External Destinations
Focus
Focus

Configure Log Forwarding from Panorama to External Destinations

Table of Contents
End-of-Life (EoL)

Configure Log Forwarding from Panorama to External Destinations

Panorama enables you to forward logs to external services, including syslog, email, SNMP trap, and HTTP-based services. Using an external service enables you to receive alerts for important events, archive monitored information on systems with dedicated long-term storage, and integrate with third-party security monitoring tools. In addition to forwarding firewall logs, you can forward the logs that the Panorama management server and Log Collectors generate. The Panorama management server or Log Collector that forwards the logs converts them to a format that is appropriate for the destination (syslog message, email notification, SNMP trap, or HTTP payload). Forwarded logs have a maximum log record size of 4,096 bytes. A forwarded log with a log record size larger than the maximum is truncated at 4,096 bytes while logs that do not exceed the maximum log record size are not.-
Log forwarding is supported only for supported log fields. Forwarding logs that contain unsupported log fields or pseudo-fields causes the firewall to crash.
If your Panorama management server is a Panorama virtual appliance in Legacy mode, it converts and forwards logs to external services without using Log Collectors.
You can also forward logs directly from firewalls to external services: see Log Forwarding Options.
On a Panorama virtual appliance running Panorama 5.1 or earlier releases, you can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another Panorama virtual appliance. A Panorama virtual appliance running Panorama 6.0 or later releases, and M-Series appliances running any release, do not support these options because the log database on those models is too large for an export or import to be practical.
To forward logs to external services, start by configuring the firewalls to forward logs to Panorama. Then you must configure the server profiles that define how Panorama and Log Collectors connect to the services. Lastly, you assign the server profiles to the log settings of Panorama and to Collector Groups.
  1. Configure the firewalls to forward logs to Panorama.
  2. Configure a server profile for each external service that will receive log information.
    1. Select PanoramaServer Profiles and select the type of server that will receive the log data: SNMP Trap, Syslog, Email, or HTTP.
    2. Configure the server profile:
  3. Configure destinations for:
    • Logs that the Panorama management server and Log Collectors generate.
    • Firewall logs that a Panorama virtual appliance in Legacy mode collects.
    1. Select PanoramaLog Settings.
    2. Add one or more match list profiles for each log type.
      The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:
      1. Enter a Name to identify the profile.
      2. Select the Log Type.
      3. In the Filter drop-down, select Filter Builder. Specify the following and then Add each query:
        Connector logic (and/or)
        Log Attribute
        Operator to define inclusion or exclusion logic
        Attribute Value for the query to match
      4. Add the server profiles you configured for each external service.
      5. Click OK to save the profile.
  4. Configure destinations for firewall logs that Log Collectors receive.
    Each Collector Group can forward logs to different destinations. If the Log Collectors are local to a high availability (HA) pair of Panorama management servers, you must log into each HA peer to configure log forwarding for its Collector Group.
    1. Select PanoramaCollector Groups and edit the Collector Group that receives the firewall logs.
    2. (Optional, SNMP trap forwarding only) Select Monitoring and configure the SNMP settings.
    3. Select Collector Log Forwarding and Add configured match list profiles as necessary.
    4. Click OK to save your changes to the Collector Group.
  5. (Syslog forwarding only) If the syslog server requires client authentication and the firewalls forward logs to Dedicated Log Collectors, assign a certificate that secures syslog communication over SSL.
    Perform the following steps for each Dedicated Log Collector:
    1. Select PanoramaManaged Collectors and edit the Log Collector.
    2. Select the Certificate for Secure Syslog and click OK.
  6. (SNMP trap forwarding only) Enable your SNMP manager to interpret traps.
    Load the Supported MIBs and, if necessary, compile them. For the specific steps, refer to the documentation of your SNMP manager.
  7. Commit and verify your configuration changes.
    1. Select CommitCommit and Push to commit your changes to Panorama and push the changes to device groups, templates, and Collector Groups.
    2. Verify that the external services are receiving the log information:
      • Email server—Verify that the specified recipients are receiving logs as email notifications.
      • Syslog server—Refer to the documentation for your syslog server to verify it’s receiving logs as syslog messages.
      • SNMP manager—Refer to the documentation for your SNMP trap server to verify it’s receiving logs as SNMP traps.
      • HTTP server—Verify that the HTTP-based server is receiving logs in the correct payload format.