topic Re: Managed PAs system log filtering and email alert on Panorama in Panorama Discussions

Managed PAs system log filtering and email alert on Panorama

b.nazir — Fri, 03 Dec 2021 19:41:55 GMT

If PAs are managed with Panorama and PAs are configured for log forwarding to Panorama. On Panorama > Log settings, Filter can be added for PAs system logs, logs can be seen on 'view filtered logs' as well. but email alerts are not generated. Only Panorama-based events are sent in email. If log settings are only for panorama system logs, then why it's showing the PAs system logs in view filtered logs. Is it expected to be like this?

If yes, then is there any method to apply a filter for PA systems logs and create email alerts against that filter on Panorama?

Re: Managed PAs system log filtering and email alert on Panorama

PavelK — Fri, 03 Dec 2021 22:10:59 GMT

Thank you for posting question @b.nazir

Getting email alerts from Panorama for Firewall System Logs is functional feature and these alerts are not limited to Panorama System Logs. By looking into my Panorama setup where this is working, the setup is fairly straightforward and based on what you described your setup should work. Just in the case, could you please confirm that you configured it in a similar way as below example for critical logs.

Kind Regards

Pavel

Re: Managed PAs system log filtering and email alert on Panorama

b.nazir — Mon, 06 Dec 2021 13:14:40 GMT

Hi Pavel,

thanks for the quick reply.

yes, I have the same config but a different filter. Actually, I am trying to put a filter to detect the license expiration notification for managed PAs via email.

In view filter logs, I can see all the events but not via email. Email settings are correct, getting email alerts for other severity levels.

Re: Managed PAs system log filtering and email alert on Panorama

PavelK — Mon, 06 Dec 2021 22:55:09 GMT

Thank you for reply and additional information @b.nazir

I see. I just crosschecked setting on my side and searched my mailbox and I realized that I am getting these license expiration alerts directly from the Firewalls instead of from Panorama. The syslog as well as email profiles are pushed from Template. I have an email alert on Panorama for critical severities, but this alert comes from Firewall itself. I could not find any reference whether this is supported, however all examples from KB are referring to setting this up locally on Firewall, so potentially this is not supported from Panorama.

Kind Regards

Pavel

Re: Managed PAs system log filtering and email alert on Panorama

RobertShawver — Tue, 01 Mar 2022 15:14:36 GMT

Sorry to hijack this thread, but I am having similar issue:

What am I missing here? I want an email alert when the Panorama sees a device pair not sync'd. I am using the System logs for this following this document: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGjCAK

Filtering on (description contains 'synchronize manually') and (severity eq high)

Seems easy enough, but what I don't understand is how do you know it's working? There is no way to test and it doesn't really explain what triggers it to send, how often it checks, nothing.

The end of the doc says to look at this doc for "How to Configure Email Alerts" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHZCA0

But you can't select the System Logs that you just configured in the previous doc.