topic Re: Logs export and viewing in General Topics

Logs export and viewing

bhavin_bhatt — Mon, 11 Jul 2011 09:23:01 GMT

Hi,

I have a requirement to be able to maintain logs (all url,threat etc) for a period of atleast 6 months, this should be independant of the disk space. I have founf out that from the command line you can export the logbd using scp and back it up, bu the only downside is, correct me if i am wrong, the exported logdb can only be viewed in the PaloAlto, so to view them, i would have to import it back into the firewall, and that would overwrite existing logs.

Also, based on the log threshold, once reached, the firewall starts overwriting the logs on the disk, this means i loose my logs for that time period etc. I want to be able to find a way to retain them, and our environment requires log keeping,for all categories, and the logs do builld up quite fast, please advice.

Cheers

Bhav

Re: Logs export and viewing

reaper — Mon, 11 Jul 2011 12:39:32 GMT

Hi Bhav

There are a couple of possibilities besides backing up logdb.

You could implement a panorama management server which supports up to 2TB of disk space for logging, this would also allow you to run reports on this data as the log is still accessible and centrally manage your units

you could also set up a nightly logexport (under the device tab > Scheduled Log Export), this will export the desired log as csv format to an ftp server

alternatively you could also setup a syslog server as external log server

Re: Logs export and viewing

markjx — Mon, 11 Jul 2011 23:17:20 GMT

Bhav,

First, good luck. This is quite a difficult problem in Panlandia.

I spent the money on Panorama and threw lots of disk space on it. You're not going to be happy with the performance or the issues with managing logs. You'll have log holes, logs missing at the start of the day, etc. The word we've gotten from support and our sales team is to not consider Panorama your "gold standard" of log storage. They've suggested we purchase Splunk. We're not ready to go there; as we've already purchased Panorama.

We use the scheduled log export feature to send logs to an ftp server. I've got a set of scripts to process them and upload them into MySQL. This has worked well for us. PM me and I'll send you any of my scripts or tables.

Re: Logs export and viewing

bhavin_bhatt — Tue, 12 Jul 2011 10:42:02 GMT

Hi MJ,

Thanks for your response, it seems as if i will need your assistance on this, as i dont have much experience with scripting, but definitely like the sound of how you have set it up.

Panorama isn't an option right now, maybe arcsight, but that not in the near future, untill then i will need to schedule log export to an ftp.

Please advice/assist me with these scripts.

Cheers

Bhav

Re: Logs export and viewing

bhavin_bhatt — Wed, 20 Jul 2011 12:21:14 GMT

Hi MJ,

hope you are well.. regarding this post, i emailed you about it, it would be great to have some assistance from you.

cheers

Bhav

Re: Logs export and viewing

Claudio.Liberace — Wed, 08 Nov 2017 12:51:23 GMT

HI,

I have the same issue. I need to be able to export PaloAlto logs onto Splunk.

How can i do it?

I need to setup the IP address of Splunk as External Log Server, but i'm not able to do it.

can you advice a set of instructions to do so?

thanks

Claudio

Re: Logs export and viewing

pulukas — Sun, 12 Nov 2017 13:57:05 GMT

Create your syslog server profile for the splunk server.

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-server-profiles-syslog

Assign this profile as the forwarding server for all the types of events you want to send to splunk

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/objects/objects-log-forwarding