09-27-2013 08:25 AM
What methods are available for sending events from a distributed palo alto deployment which have been aggregated in panorama...to a syslog server or SIEM product? I know how to send events directly from a firewall but would hate for all my remote locations to have to send the logs twice, once to panorama and a second time to the SIEM.
In panorama it appears as though the logging configurations relate only to system events within the panorama platform as opposed to forwarding of the logs contained within panorama.
At the moment I dont have any siem in mind specifically, I am just working with a linux syslog server but am also interested in siem integration for the future.
09-27-2013 10:29 AM
tpb_bubbles Right now this is true, but there was talk of future plans to write this functionality into Panorama. I believe this feature is being worked on. PA doesn't like to make future projections without an NDA (for legal reasons I'm sure) but it's being worked on.
https://live.paloaltonetworks.com/message/17386#17386 is the thread I'm thinking of.
09-30-2013 02:38 AM
Today your option is to setup dual-logging at each PA-device. That is it has one feed towards Panorama and one feed towards your syslog/SIEM. This syslog-feed can also be manually setup in case you only care for a few "columns", or for that matter using CEF format if your SIEM supports that format.
Tomorrow hopefully Feature Request ID 782 (tell your sales engineer to add your company to this ID) will be taken care of which means that Panorama will be able to not only forward the logs the Panorama itself created but also "relay" any incoming logs from the PA-devices. This way (since Panorama uses some kind of delivery secured method) the PA devices will only have to log once (compared to twice as today) and if the connection with Panorama is lost the logs will not be lost (as with syslog which sends out to devnull) but buffered on the PA device until Panorama returns and then fetches whatever logs were produced while the link between the PA and Panorama was down.
01-22-2018 03:13 PM
Just an update for anybody who stumbles across this post like I did but since PANOS 6 Panorama will both forward Panorama events to a SIEM AND also send all the logs it receives from the various PA systems as well, i.e. act as a log aggregrator and forward.
What I don't know, and I bet you can't, is ONLY send the Panorama logs and not the aggregate logs as support said "Panorama will forward whatever logs in the logdb, no matter it generated locally by Panorama itself or the log aggregated from FW, it will forwarded to the external destination." which suggests to me you can't and is a design flaw but oh well, it is what it is.
For configuration see:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
