How we can monitor/detect that particular FW stopped sending traffic logs to LogCOllector

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How we can monitor/detect that particular FW stopped sending traffic logs to LogCOllector

L1 Bithead

Hi Community

 

I'm looking for the possibility to be notified (trap/snmp/Panorama event) in the situation that a particular FW which is assigned to LogCollector for some reason stopped sending traffic to it. Let's assume that if there is a 1h gap I want to be notified.

For some reason, I'm not considering implementing Syslog here.

 

When such a situation has occurred FW is logging:

( description contains 'Failed to connect to address: X.X.X.X port: 3978, conn id: lr-X.X.X.X-def' )

( description contains 'Number of hints on disk has exceeded 5000 due to log forward failures.' )

 

I know that I can set up under Device>LogSettings new entry like the below:

Screenshot_1862.png

But this solution will generate an event on Panorama with severity informational (as the original event "'Failed to connect to address" was") when I'd like to have it marked as critical. Moreover, such config must be deployed to all FW, when we have just one LogCollector per dozens of FW. That's why I'm looking for something more clever 😉

 

Currently, this is my idea, its not tested but I'm pretty sure that guys here had the same problem and maybe someone will share the working solution here.

 

with regards

Slawek

4 REPLIES 4

Cyber Elite
Cyber Elite

@S_Owoc,

Why aren't you considering implementing a simple syslog server that you could use to handle these alerts? If that's out, I would just have the device send an email/Slack alert itself so you know there's actually a problem. 

I can't use syslog for some reason which I can't share here.

 

Any idea how to achieve my goal from LogCollector perspective?

 

Regards

SLawek

Hi @S_Owoc ,

Only approach I can think of right now is forwarding that logs to Email relay.

- Create log system log forwarding profile, similar to your screenshot

- Select Email for forwarding method and create email profile with email relay that will accept email from the firewall.

- Configure all of this with separate template, that you can assign to any template stack that you want and have it pushed to all firewalls that you manage. You can use template variables to use different IP addresses for the mail relay if the firewalls are in different locations/regions and cannot reach same relay.

 

I don't have practical experience with dedicated log collectors, but I am wondering wouldn't the log collector/panorama generate similar log if it loss connectivity with firewall? If so you can again have log forwarding to email, but from log collector perspective.

 

 

L1 Bithead

Hi guys,

 

This link seems to be a good starting point:

https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/administer-panorama/monitor-panorama/...

 

log forwarding status from individual firewalls to Panorama and external servers.

Unfortunately, there is no OID listed for these values, has anyone idea where to find them?

 

Regards

SLawek

  • 2102 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!