10-21-2018 08:13 AM
we have panorama in active and passive and all firewalls are connected to it.
We have m500 log collector and when i run below command
sh logging status
i see the firewall is sending logs to m500
also we have configured logs to be send to SIEM.
1>Need to know if SIEM logs are directly send from firewall to SIEM?
how can i verify that?
2>Need to know if any logs are going to Panorama or not?
Does Panorama gets all the logs from m500?
How can i verify the above?
10-21-2018 01:38 PM - edited 10-21-2018 01:50 PM
@MP18 wrote:
1>Need to know if SIEM logs are directly send from firewall to SIEM?how can i verify that?
Depends on how you configured it. If you have configured a log forwarding profile with the forwarding to your SIEM and have attached that profile to your security policies, then the logs are sent directly from the firewall. But you also have the possibility to forward all logs consolidated from the log collecter in the collector group settings.
Here is some help to check which way logs are forwarded:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqICAS
10-21-2018 03:16 PM
@MP18 wrote:2>Need to know if any logs are going to Panorama or not?
Does Panorama gets all the logs from m500?
How can i verify the above?
If you forward the logs to a log collecter then panorama actually does not get the logs at all. The logs are stored on the collector and panorama connects to the log collector to get logs that you want to see in the monitor tab or for reports.
To check if there are received logs, read this article: https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/manage-log-collection...
10-22-2018 06:53 AM
I check the security policy and log forwarding .
Under log forwarding I see logs are going to SIEM under syslog
So these logs seems directly go to SIEM right?
Also under location I see panorama what does it mean?
10-22-2018 06:54 AM
is it safe to run below command
debug log-receiver statistics?
10-22-2018 03:23 PM
@MP18 wrote:is it safe to run below command
debug log-receiver statistics?
Yes, it is.
10-22-2018 03:28 PM
which counter will tell me logs are going to collector?
debug log-receiver statistics
Logging statistics
------------------------------ -----------
Log incoming rate: 260/sec
Log written rate: 260/sec
Corrupted packets: 0
Corrupted URL packets: 0
Corrupted HTTP HDR packets: 0
Corrupted EMAIL HDR packets: 0
Logs discarded (queue full): 0
Traffic logs written: 1574247759
GTP logs written: 0
Tunnel logs written: 0
Auth logs written: 58
Userid logs written: 60429003
URL logs written: 812033478
Wildfire logs written: 4420
Anti-virus logs written: 49
Widfire Anti-virus logs written: 219
Spyware logs written: 176790587
Spyware-DNS logs written: 1426
Attack logs written: 0
Vulnerability logs written: 11236847
Fileext logs written: 40
Fileext logs URL not written: 40
Fileext logs URL not written (timedout): 0
URL cache age out count: 0
URL cache full count: 786944447
URL cache key exist count: 2633725
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Email hdr cache count: 4531
Email hdr cache hit count: 1182961
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Netflow incoming count: 0
Log Forward count: 8444
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Total logs not written due to disk unavailability: 0
Logs not written since disk became unavailable: 0
Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
Num current drop entries in gtpsum:0
Num cumulative drop entries in gtpsum:0
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 4543321883 4543321883 0 0 33955
snmp 0 0 0 0 0
email 6306 6306 0 0 0
raw 2574313513 2574313513 0 0 20895
http 0 0 0 0 0
autotag 0 0 0 0 0
10-24-2018 05:47 PM
Many thanks !!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
