https://live.paloaltonetworks.com/t5/panorama-discussions/forward-logs-from-firewalls-to-panorama-and-from-panorama-to/m-p/545149#M1569 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>I planning to forward the Panorama logs to azure sentinel, while I have log collector&nbsp; configured to log to Panorama. I found a document that specifies that it not possible "<SPAN>A Panorama virtual appliance running Panorama 6.0 or later releases, and M-Series appliances running any release, do not support these options because the log database on those models is too large for an export or import to be practical." Please confirm this.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-forwarding-from-panorama-to-external-destinations" target="_blank">https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-forwarding-from-panorama-to-external-destinations</A>.</P> <P>&nbsp;</P> <P>The other option could be&nbsp;<SPAN>Log Forwarding to External Services and Panorama in Parallel. In this case do I need to create syslog profile under panorama --&gt; syslog or Device (GLOBAL-COFIG-TEMPLATE)&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Finally can I add syslog profile&nbsp;to Log Forwarding&nbsp;Profile Match List, together with Panorama under the same log forwarding Profile, in which my case is Shared</SPAN></P> Wed, 07 Jun 2023 20:00:56 GMT MP-Firewall 2023-06-07T20:00:56Z https://live.paloaltonetworks.com/t5/panorama-discussions/forward-logs-from-firewalls-to-panorama-and-from-panorama-to/m-p/545149#M1569 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>I planning to forward the Panorama logs to azure sentinel, while I have log collector&nbsp; configured to log to Panorama. I found a document that specifies that it not possible "<SPAN>A Panorama virtual appliance running Panorama 6.0 or later releases, and M-Series appliances running any release, do not support these options because the log database on those models is too large for an export or import to be practical." Please confirm this.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-forwarding-from-panorama-to-external-destinations" target="_blank">https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-forwarding-from-panorama-to-external-destinations</A>.</P> <P>&nbsp;</P> <P>The other option could be&nbsp;<SPAN>Log Forwarding to External Services and Panorama in Parallel. In this case do I need to create syslog profile under panorama --&gt; syslog or Device (GLOBAL-COFIG-TEMPLATE)&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Finally can I add syslog profile&nbsp;to Log Forwarding&nbsp;Profile Match List, together with Panorama under the same log forwarding Profile, in which my case is Shared</SPAN></P> Wed, 07 Jun 2023 20:00:56 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/forward-logs-from-firewalls-to-panorama-and-from-panorama-to/m-p/545149#M1569 MP-Firewall 2023-06-07T20:00:56Z https://live.paloaltonetworks.com/t5/panorama-discussions/forward-logs-from-firewalls-to-panorama-and-from-panorama-to/m-p/545458#M1575 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/235045">@MP-Firewall</a> ,</P> <P>I believe you are interpreting the documentation incorrectly. The document explain that you cannot export logs with SCP from Panorama (..you can <A class="xref" title="" href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files.html" target="_blank" rel="noopener" data-scope="external" data-format="dita" data-type="">use Secure Copy (SCP) commands from the CLI</A> to export the entire log database...running Panorama 6.0 or later releases... do not support these options )<BR /><BR /></P> <P>What you are looking for is described in the first figure from this document - <A href="https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-logging-and-reporting/log-forwarding-options" target="_blank">https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-logging-and-reporting/log-forwarding-options</A></P> <P>&nbsp;</P> <P>The link you mentioned provide steps how to configure Syslog forwarding from Panorama to external server.</P> <P>Since you are planning to use Azure Sentinel, you need to remember that Sentinel expects logs to be in CEF format.You need to set custom log format for each log time that you want to forward to Sentinel. Here are CEF templates - <A href="https://docs.paloaltonetworks.com/resources/cef" target="_blank">https://docs.paloaltonetworks.com/resources/cef</A> </P> <P>But be aware that there were some typos as I have explained here - <A href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/378425" target="_blank">https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/378425</A> It was long ago and I am hoping those were fixed, but if you are missing some log types in Sentinel I would suggest you to verify the custom log format first</P> Fri, 09 Jun 2023 09:47:30 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/forward-logs-from-firewalls-to-panorama-and-from-panorama-to/m-p/545458#M1575 aleksandar.astardzhiev 2023-06-09T09:47:30Z