Logs export and viewing

cancel
Showing results for 
Search instead for 
Did you mean: 

Logs export and viewing

Not applicable

Hi,

I have a requirement to be able to maintain logs (all url,threat etc) for a period of atleast 6 months, this should be independant of the disk space. I have founf out that from the command line you can export the logbd using scp and back it up, bu the only downside is, correct me if i am wrong, the exported logdb can only be viewed in the PaloAlto, so to view them, i would have to import it back into the firewall, and that would overwrite existing logs.

Also, based on the log threshold, once reached, the firewall starts overwriting the logs on the disk, this means i loose my logs for that time period etc. I want to be able to find a way to retain them, and our environment requires log keeping,for all categories, and the logs do builld up quite fast, please advice.

Cheers

Bhav

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi Bhav

There are a couple of possibilities besides backing up logdb.

You could implement a panorama management server which supports up to 2TB of disk space for logging, this would also allow you to run reports on this data as the log is still accessible and centrally manage your units

you could also set up a nightly logexport (under the device tab > Scheduled Log Export), this will export the desired log as csv format to an ftp server

alternatively you could also setup a syslog server as external log server

Tom Piens
PANgurus - (co)managed services and consultancy

Not applicable

Bhav,

First, good luck. This is quite a difficult problem in Panlandia.

I spent the money on Panorama and threw lots of disk space on it. You're not going to be happy with the performance or the issues with managing logs. You'll have log holes, logs missing at the start of the day, etc. The word we've gotten from support and our sales team is to not consider Panorama your "gold standard" of log storage. They've suggested we purchase Splunk. We're not ready to go there; as we've already purchased Panorama.

We use the scheduled log export feature to send logs to an ftp server. I've got a set of scripts to process them and upload them into MySQL. This has worked well for us. PM me and I'll send you any of my scripts or tables.


MJ

Hi MJ,

Thanks for your response, it seems as if i will need your assistance on this, as i dont have much experience with scripting, but definitely like the sound of how you have set it up.

Panorama isn't an option right now, maybe arcsight, but that not in the near future, untill then i will need to schedule log export to an ftp.

Please advice/assist me with these scripts.

Cheers

Bhav

Hi MJ,

hope you are well.. regarding this post, i emailed you about it, it would be great to have some assistance from you.

cheers

Bhav

HI,

I have the same issue. I need to be able to export PaloAlto logs onto Splunk.

How can i do it?

I need to setup the IP address of Splunk as External Log Server, but i'm not able to do it.

can you advice a set of instructions to do so?

thanks

Claudio

Create your syslog server profile for the splunk server.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-server-pro...

 

Assign this profile as the forwarding server for all the types of events you want to send to splunk

 

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/objects/objects-log-forw...

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!