In current setup we have Panorama M200 in HA pair and managing location A and location B firewall centrally. We have enabled local log collector on both Panorama and added in same collector group with redundancy enabled.
Also log forwarding preference is enabled , in which location A firewalls sending logs to Primary-Active Panorama and location B firewalls sending logs to Secondary-Passive Panorama. As redundancy is enabled in LC group , both Panorama storing copy of each other.
With redundancy enabled we are able to store only 6 Months of logs in Panorama. We want to store the logs for 1 year hence purchased one more M200 device and want to add in current setup for logging.
Have below queries :
1. How I can add new Panorama in existing Panorama HA pair setup ?
2. How I can add in collector group ?
3. Adding in new Panorama in existing collector group will increase the sizing or it will be same due to redundancy.
4. How firewall will forward the logs to Third panorama. How logs copy will create.
5. What is the best possible way to add new Panorama for logging and increase log retention.
Thank you for the post @Deepak25
1.) In this scenario, the only option is to configure new M-200 as a dedicated log collector: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-log-collection/log-collection-...
Since you are using Panorama HA with built in log collectors, there is no option to expend it unless you configure the new M-200 in logger mode and register it to existing Panorama as a dedicated log collector.
2.) Technically the only requirement to add a new log collector to existing log collector group is to have the same hardware which you have. After you register new M-200 to Panorama, you should be able to add it to log collector group under: Panorama > Collector Groups > [Log Collector Group Name] > Collector Group Members > Add
3.) Adding new M-200 will increase capacity, but keep in mind a few points:
- By having the option: "Enable log redundancy across collectors" enabled, a single log will be stored in 2 different log collectors. Please refer to the: "Log Redundancy" in this link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBw7CAG
- New log collector will have this portion of the log: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPcwCAG
- After you add Log Collectors to an existing Collector Group, Panorama redistributes its existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama Collector Groups page, the Log Redistribution State column indicates the completion status of the process as a percentage.
4.) The logs will be ingested by new log collector depending on how you set up device log forwarding in log collector group, then actual log will be stored in 2 log collectors across log collector group by using internal algorithm.
5.) I think, I answered this by above 4 points, but if there is any question, I will try on best effort bases help.
Hi @PavelK ,
Thanks for help.
I have go through shared KB's but still have some queries regarding log redistribution when Collector group having three log collectors.
1. In current setup for location A firewalls (2 HA pair) - primary LC is location A panorama LC and secondary LC is location B panorama LC in log forwarding preference. Same for location B firewalls (2 HA pair) - primary LC is location B panorama LC and secondary LC is location A panorama LC in log forwarding preference.
- What is the best option to add third LC in log forwarding preference list in order to utilize its space for logging. Do we add new LC as a tertiary in existing log forwarding preference lists or we should create new log forwarding preference list for some firewalls from the list and keep new LC as a primary and others as secondary , tertiary.
2. Currently we have configured Location A Panorama as primary and location B panorama as secondary in all locations firewall devices. Does this setting is effective only in case of firewall management when Panorama is in HA. Because as we are adding new LC in logger mode in existing LC group of Panorama where built in LC's also added , how firewalls will forward the log to this third LC if we keep this as a primary in log forwarding preference list for some firewall. As we are not mentioning third LC ip in panorama setting of firewalls.
3. In log forwarding preference , if primary LC is full does the log store to secondary LC. and if secondary LC is full does it store to tertiary LC.
4. Currently in both LC's in collector group is full and logs are purging after every five days.
So after adding third LC in collector group after redistribution, disk quota of LC1 and LC2 will reduce ? will it lower down from 100 % utilization.
Thank you for reply @Deepak25
1.) Personally I would advice to go with this option: "Create new log forwarding preference list for some firewalls from the list and keep new LC as a primary and others as secondary , tertiary." The log forwarding preference only defines which log collector ingests the logs, but the log location among log collectors in the same log collector group is determined by hash algorithm, so the logs do not necessarily have to reside in the first log collector in log forwarding preference list. Full details are provided in this article: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-logging-...
2.) You do not have to modify this setting. On the Firewall side, you configure only Panorama Manager IP address (Primary and Secondary in the case of HA), so you can keep this setting as it is after you bring 3rd log collector online. The Firewall will learn log forwarding preference after it is registered to Panorama Manager.
3.) The answer to this question is provided in the link, I shared in the point no.1. Basically, all log collectors in the same log collector group are working as one storage and all log collectors are storing logs. When it comes to enabling log redundancy across log collectors, there is one caveat: Log redundancy is available only if each Log Collector has the same number of logging disks.
4.) I do not have confidence to answer this question without knowing your environment, however the disk quota is configuration that will not change by adding new log collector. For actual utilization, by adding 3rd log collector, you will get more storage, but if you have a lot of logs, you will eventually reach 100% utilization, but you will have longer retention period.
There is one more point that I forgot to mention in my earlier post, for log collector you will need this license: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNu0CAG&lang=en_US%E2%80%A...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!