log forwarding to m500 and SIEM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

log forwarding to m500 and SIEM

Cyber Elite
Cyber Elite

 

we have panorama in active and passive and all firewalls are connected to it.

We have m500 log collector and when i run below command 

 

sh logging status 

 

i see the firewall is sending logs to m500

 

also we have configured logs to be send to SIEM.

 

1>Need to know if SIEM logs are directly send from firewall to SIEM?

how can i verify that?

 

2>Need to know if any logs are going to Panorama or not?

Does Panorama gets all the logs from m500?

How can i verify the above?

 

 

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

L7 Applicator

@MP18 wrote:

raw 2574313513 2574313513 0 0 20895


 

View solution in original post

8 REPLIES 8

L7 Applicator

@MP18 wrote:
 1>Need to know if SIEM logs are directly send from firewall to SIEM?

how can i verify that?


Depends on how you configured it. If you have configured a log forwarding profile with the forwarding to your SIEM and have attached that profile to your security policies, then the logs are sent directly from the firewall. But you also have the possibility to forward all logs consolidated from the log collecter in the collector group settings.

 

Here is some help to check which way logs are forwarded:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqICAS

L7 Applicator

@MP18 wrote:

 2>Need to know if any logs are going to Panorama or not?

Does Panorama gets all the logs from m500?

How can i verify the above?


If you forward the logs to a log collecter then panorama actually does not get the logs at all. The logs are stored on the collector and panorama connects to the log collector to get logs that you want to see in the monitor tab or for reports.

To check if there are received logs, read this article: https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/manage-log-collection...

I check the security policy and log forwarding .

Under log forwarding I see logs are going to SIEM  under syslog

 

So these logs seems directly go to SIEM right?

Also under location I see panorama what does it mean?

MP

Help the community: Like helpful comments and mark solutions.

is it  safe to run below command 

 debug log-receiver statistics?
MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

@MP18 wrote:

is it  safe to run below command 

 debug log-receiver statistics?

Yes, it is.

which counter will tell me logs are going to collector?

 

debug log-receiver statistics

Logging statistics
------------------------------ -----------
Log incoming rate: 260/sec
Log written rate: 260/sec
Corrupted packets: 0
Corrupted URL packets: 0
Corrupted HTTP HDR packets: 0
Corrupted EMAIL HDR packets: 0
Logs discarded (queue full): 0
Traffic logs written: 1574247759
GTP logs written: 0
Tunnel logs written: 0
Auth logs written: 58
Userid logs written: 60429003
URL logs written: 812033478
Wildfire logs written: 4420
Anti-virus logs written: 49
Widfire Anti-virus logs written: 219
Spyware logs written: 176790587
Spyware-DNS logs written: 1426
Attack logs written: 0
Vulnerability logs written: 11236847
Fileext logs written: 40
Fileext logs URL not written: 40
Fileext logs URL not written (timedout): 0
URL cache age out count: 0
URL cache full count: 786944447
URL cache key exist count: 2633725
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Email hdr cache count: 4531
Email hdr cache hit count: 1182961
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Netflow incoming count: 0
Log Forward count: 8444
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Total logs not written due to disk unavailability: 0
Logs not written since disk became unavailable: 0

Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
Num current drop entries in gtpsum:0
Num cumulative drop entries in gtpsum:0

External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 4543321883 4543321883 0 0 33955
snmp 0 0 0 0 0
email 6306 6306 0 0 0
raw 2574313513 2574313513 0 0 20895
http 0 0 0 0 0
autotag 0 0 0 0 0

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

@MP18 wrote:

raw 2574313513 2574313513 0 0 20895


 

Many thanks !!

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 4363 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!