topic Logging events from Panorama to SIEM? in General Topics

Logging events from Panorama to SIEM?

tpb_bubbles — Fri, 27 Sep 2013 15:25:50 GMT

What methods are available for sending events from a distributed palo alto deployment which have been aggregated in panorama...to a syslog server or SIEM product? I know how to send events directly from a firewall but would hate for all my remote locations to have to send the logs twice, once to panorama and a second time to the SIEM.

In panorama it appears as though the logging configurations relate only to system events within the panorama platform as opposed to forwarding of the logs contained within panorama.

At the moment I dont have any siem in mind specifically, I am just working with a linux syslog server but am also interested in siem integration for the future.

Re: Logging events from Panorama to SIEM?

ericgearhart — Fri, 27 Sep 2013 17:29:27 GMT

tpb_bubbles Right now this is true, but there was talk of future plans to write this functionality into Panorama. I believe this feature is being worked on. PA doesn't like to make future projections without an NDA (for legal reasons I'm sure) but it's being worked on.

https://live.paloaltonetworks.com/message/17386#17386 is the thread I'm thinking of.

Re: Logging events from Panorama to SIEM?

mikand — Mon, 30 Sep 2013 09:38:48 GMT

Today your option is to setup dual-logging at each PA-device. That is it has one feed towards Panorama and one feed towards your syslog/SIEM. This syslog-feed can also be manually setup in case you only care for a few "columns", or for that matter using CEF format if your SIEM supports that format.

Tomorrow hopefully Feature Request ID 782 (tell your sales engineer to add your company to this ID) will be taken care of which means that Panorama will be able to not only forward the logs the Panorama itself created but also "relay" any incoming logs from the PA-devices. This way (since Panorama uses some kind of delivery secured method) the PA devices will only have to log once (compared to twice as today) and if the connection with Panorama is lost the logs will not be lost (as with syslog which sends out to devnull) but buffered on the PA device until Panorama returns and then fetches whatever logs were produced while the link between the PA and Panorama was down.

Re: Logging events from Panorama to SIEM?

PeterT — Mon, 22 Jan 2018 23:13:14 GMT

Just an update for anybody who stumbles across this post like I did but since PANOS 6 Panorama will both forward Panorama events to a SIEM AND also send all the logs it receives from the various PA systems as well, i.e. act as a log aggregrator and forward.

What I don't know, and I bet you can't, is ONLY send the Panorama logs and not the aggregate logs as support said "Panorama will forward whatever logs in the logdb, no matter it generated locally by Panorama itself or the log aggregated from FW, it will forwarded to the external destination." which suggests to me you can't and is a design flaw but oh well, it is what it is.

For configuration see:

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-log-collection/configure-log-forwarding-from-panorama-to-external-destinations