Does Panorama send info to PA to send logs to which Log collector??

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Does Panorama send info to PA to send logs to which Log collector??

Cyber Elite
Cyber Elite

 

We have Panorama M100 and 2 M500 for logs.

Under PAnorama GUI -- log collectors i have configured which PA will send logs to which log collector.

 

Firewall does not have this info.

 

Need to know how does Firewall know which log collector it needs to send logs to?

is ths info comes from Panorama to firewall?  if yes then how and when?

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

Its shows the log collector preference defined IN Panorama yes. AFAIK there is no way to locally override this setting. It's impossible to have a setting here without Panorama. So there isnt a question of this configuration coming from anywhere else other than the Panorama server configured on the firewall.


View solution in original post

9 REPLIES 9

L3 Networker

First things first.

 

Is your M100 device in Panorama mode?

If so, you need to make sure that the default Local Collector is in a different Collector Group to that of the two M500's. Collector Groups must contain devices all of the same SKU. This means if you want to introduce log redundancy for logs already residing on your M100 local collector you might be out of luck. AFAIK there is no method to transfer logs between different Collector Groups (would love to be proven wrong here!).

 

But assuming your M500's are in a distinct collector group and you have configured your devices in preferences lists/'s. This should be shared with the devices as soon as it makes its association to Panorama (Setup > Panorama Servers) and the device is part of the Managed Devices list. It is not part of any Template or Device Config.

If your devices are members of the default collector group and you relocate them to another, I believe the information is pushed from Panorama when you commit to Panorama. I dont think this action requires a device push.

 

You can confirm log collector preferences on a managed firewall by running the below command on the firewall itself.

 

show log-collector status

Obviously for the logs to be collected you will need to configure log forwarding profiles and logging settings using the usual Panorama setting.

1>Yes M100 is Running inPanorama mode

 

system-mode: panorama.

 

2>Yes we have configured Preference list for each PA for sending logs to M500 in Panorama.

 

3>Under Collector group i have below

 

default M100

 

M500  -----------------2 M500 here.

 

4>So my question remains how Panorama send info to PA to send the logs to certian M500?

 

MP

Help the community: Like helpful comments and mark solutions.

Can anyone answer this please?

MP

Help the community: Like helpful comments and mark solutions.

I think i kind of answered that in my post.

 

The information is shared when a commit to Panorama is performed. In terms of the means on transport, I assume its via the Panorama communication channel over TCP 3978.

 

Does that mean when we commit on panorama and push config on fw first time regarding log collector config it then sends

this info to PA.

 

after that if no changes are made on lo collector then no config is send.

 

is there any cli or debug command to confirm this?

MP

Help the community: Like helpful comments and mark solutions.

It should take effect after a Panorama & Managed Collector commit. A push to the firewalls is not neccessary (I believe).

 

I'm not fully clear on what you're trying to confirm exactly. The command in my OP when run on the firewall will show the LC preference its has gotten from Panorama after the aforementioned commit.

You mean to say when on PA you run sh logging status

 

or show logging pref list  

 

it shows there that this info has come from panorama?

MP

Help the community: Like helpful comments and mark solutions.

Its shows the log collector preference defined IN Panorama yes. AFAIK there is no way to locally override this setting. It's impossible to have a setting here without Panorama. So there isnt a question of this configuration coming from anywhere else other than the Panorama server configured on the firewall.


Many Thanks For all your queries.

 

Best Regards

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 5013 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!