I have a requirement to be able to maintain logs (all url,threat etc) for a period of atleast 6 months, this should be independant of the disk space. I have founf out that from the command line you can export the logbd using scp and back it up, bu the only downside is, correct me if i am wrong, the exported logdb can only be viewed in the PaloAlto, so to view them, i would have to import it back into the firewall, and that would overwrite existing logs.
Also, based on the log threshold, once reached, the firewall starts overwriting the logs on the disk, this means i loose my logs for that time period etc. I want to be able to find a way to retain them, and our environment requires log keeping,for all categories, and the logs do builld up quite fast, please advice.
There are a couple of possibilities besides backing up logdb.
You could implement a panorama management server which supports up to 2TB of disk space for logging, this would also allow you to run reports on this data as the log is still accessible and centrally manage your units
you could also set up a nightly logexport (under the device tab > Scheduled Log Export), this will export the desired log as csv format to an ftp server
alternatively you could also setup a syslog server as external log server
First, good luck. This is quite a difficult problem in Panlandia.
I spent the money on Panorama and threw lots of disk space on it. You're not going to be happy with the performance or the issues with managing logs. You'll have log holes, logs missing at the start of the day, etc. The word we've gotten from support and our sales team is to not consider Panorama your "gold standard" of log storage. They've suggested we purchase Splunk. We're not ready to go there; as we've already purchased Panorama.
We use the scheduled log export feature to send logs to an ftp server. I've got a set of scripts to process them and upload them into MySQL. This has worked well for us. PM me and I'll send you any of my scripts or tables.
Thanks for your response, it seems as if i will need your assistance on this, as i dont have much experience with scripting, but definitely like the sound of how you have set it up.
Panorama isn't an option right now, maybe arcsight, but that not in the near future, untill then i will need to schedule log export to an ftp.
Please advice/assist me with these scripts.
Create your syslog server profile for the splunk server.
Assign this profile as the forwarding server for all the types of events you want to send to splunk
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!