Palo alto panorama - Any advice on how we can deal with old logs?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo alto panorama - Any advice on how we can deal with old logs?

L3 Networker

We would like to migrate logs from M100 to M200 – Could you please advise how to proceed?

M100 has 4x2 disks

M200 has 2x2 disks

 

M-100 appliance to an M-200 or M-600 appliance- I understood this from the below URL. Kindly correct if any change

Log migration is not supported. The M-100 appliance logging disk form factor is not supported on the M-200 and M-600 appliances.

URL ref is below:-

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-panorama/transition-to-a-differ...

 

Any advice on how we can deal with old logs?

Due to our security restrictions, we should be able to keep them some minimum period of time.

If there are no options to migrate them to a new log-collector what would You suggest to have them available?

Sachin garg
Technical consultant
3 REPLIES 3

L7 Applicator

Hi @SachinGargNTT 

How long is the retention time of the existing M-100 appliance and how long is your company policy for the retention?

Actually on the link you provided, the solution is already written:

-----------------------------------------------

This procedure assumes you are no longer using the M-100 or M-500 appliance for device management or log collection. If you plan on using the decommissioned M-100 or M-500 appliance as a Dedicated Log Collector, a device management license is required on the M-100 or M-500 appliance. Without a device management license, you are unable to use the M-100 or M-500 as a Dedicated Log Collector.

You may still access existing log data at a later date if you do not plan on using the M-100 or M-500 appliance as a Dedicated Log Collector. After you have successfully migrate to the new M-Series appliance, power on the M-100 or M-500 appliance to query and generate reports from the Panorama web interface of the decommissioned M-Series appliance. Palo Alto Networks recommends reviewing the log retention policy before decommissioning the M-100 or M-500 appliance.

----------------------------‐-------------------------------

This means on your new appliance you can add the old log collector as a dedicated log collector that you use only for logqueries and not for writing new logs to it. This requires that the old appliance is still licensed otherwise you will not be able to continue to use it. Does this answer your question?

Is there any other way to keep logs without having existing M100 all the time online (old log-collector)?

Sachin garg
Technical consultant

No, at least no easy way. You can also export all the logs manually from the monitor tab or create a script that fetches the logs over the API and write them to a place where you can access them when you need it. 

  • 1064 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!