topic Re: log forwarding to m500 and SIEM in General Topics

log forwarding to m500 and SIEM

MP18 — Sun, 21 Oct 2018 15:13:36 GMT

we have panorama in active and passive and all firewalls are connected to it.

We have m500 log collector and when i run below command

sh logging status

i see the firewall is sending logs to m500

also we have configured logs to be send to SIEM.

1>Need to know if SIEM logs are directly send from firewall to SIEM?

how can i verify that?

2>Need to know if any logs are going to Panorama or not?

Does Panorama gets all the logs from m500?

How can i verify the above?

Re: log forwarding to m500 and SIEM

Remo — Sun, 21 Oct 2018 20:50:32 GMT

@MP18 wrote:
1>Need to know if SIEM logs are directly send from firewall to SIEM?
how can i verify that?

Depends on how you configured it. If you have configured a log forwarding profile with the forwarding to your SIEM and have attached that profile to your security policies, then the logs are sent directly from the firewall. But you also have the possibility to forward all logs consolidated from the log collecter in the collector group settings.

Here is some help to check which way logs are forwarded:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqICAS

Re: log forwarding to m500 and SIEM

Remo — Sun, 21 Oct 2018 22:16:14 GMT

@MP18 wrote:
2>Need to know if any logs are going to Panorama or not?
Does Panorama gets all the logs from m500?
How can i verify the above?

If you forward the logs to a log collecter then panorama actually does not get the logs at all. The logs are stored on the collector and panorama connects to the log collector to get logs that you want to see in the monitor tab or for reports.

To check if there are received logs, read this article: https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/manage-log-collection/verify-log-forwarding-to-panorama

Re: log forwarding to m500 and SIEM

MP18 — Mon, 22 Oct 2018 13:53:22 GMT

I check the security policy and log forwarding .

Under log forwarding I see logs are going to SIEM under syslog

So these logs seems directly go to SIEM right?

Also under location I see panorama what does it mean?

Re: log forwarding to m500 and SIEM

MP18 — Mon, 22 Oct 2018 13:54:40 GMT

is it safe to run below command

 debug log-receiver statistics?

Re: log forwarding to m500 and SIEM

Remo — Mon, 22 Oct 2018 22:23:28 GMT

@MP18 wrote:
is it safe to run below command
 debug log-receiver statistics?

Yes, it is.

Re: log forwarding to m500 and SIEM

MP18 — Mon, 22 Oct 2018 22:28:07 GMT

which counter will tell me logs are going to collector?

debug log-receiver statistics

Logging statistics
------------------------------ -----------
Log incoming rate: 260/sec
Log written rate: 260/sec
Corrupted packets: 0
Corrupted URL packets: 0
Corrupted HTTP HDR packets: 0
Corrupted EMAIL HDR packets: 0
Logs discarded (queue full): 0
Traffic logs written: 1574247759
GTP logs written: 0
Tunnel logs written: 0
Auth logs written: 58
Userid logs written: 60429003
URL logs written: 812033478
Wildfire logs written: 4420
Anti-virus logs written: 49
Widfire Anti-virus logs written: 219
Spyware logs written: 176790587
Spyware-DNS logs written: 1426
Attack logs written: 0
Vulnerability logs written: 11236847
Fileext logs written: 40
Fileext logs URL not written: 40
Fileext logs URL not written (timedout): 0
URL cache age out count: 0
URL cache full count: 786944447
URL cache key exist count: 2633725
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Email hdr cache count: 4531
Email hdr cache hit count: 1182961
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Netflow incoming count: 0
Log Forward count: 8444
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Total logs not written due to disk unavailability: 0
Logs not written since disk became unavailable: 0

Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
Num current drop entries in gtpsum:0
Num cumulative drop entries in gtpsum:0

External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 4543321883 4543321883 0 0 33955
snmp 0 0 0 0 0
email 6306 6306 0 0 0
raw 2574313513 2574313513 0 0 20895
http 0 0 0 0 0
autotag 0 0 0 0 0

Re: log forwarding to m500 and SIEM

Remo — Wed, 24 Oct 2018 23:55:26 GMT

@MP18 wrote:
raw 2574313513 2574313513 0 0 20895

Re: log forwarding to m500 and SIEM

MP18 — Thu, 25 Oct 2018 00:47:33 GMT

Many thanks !!