If you have configured your Palo Alto firewalls to send traffic, system, and config syslog files to FireMon but you aren't seeing these picked up, there could be a few reasons.
- It may be that currently SYSTEM and/or Informational level TRAFFIC level messages aren't being sent to FireMon, which would be a configuration issue from the device side.
- It may be that messages are delivered, but not identified to the device
- It may be that the messages aren't matching our current regex
You can configure the devices to send syslog messages directly to the FireMon Data Collector, or configure devices to send to Panorama and have Panorama deliver them to the FireMon DC, or to a third-party collector and have that forward to the FireMon DC. How you have that configured affects how you need to have SIP configured.
You can check Panorama UI for this configuration, and you can verify if FireMon is receiving these by either,
- Running tshark to capture packets sent to the DC's interface, checking for where the logs are sourced from.
- Setting the Data Collector log level to DEBUG using the Server Control Panel and then watching DataCollector_debug.log in the CLI. The command would be fmos logview -Tf /var/log/firemon/dc/DataCollector_debug.log
Either way, you'll want to look for the source IP of the logs you're looking for. You can add a grep to narrow those results by specific messages, For example, if the DC logs are in debug, you can find commit events (which should trigger FireMon to retrieve a new device configuration: 'fmos logview -Tf /var/log/firemon/dc/DataCollector_debug.log | grep -i "Commit job succeeded"
If these messages are not sent directly from the devices, meaning they are not sourced from the same IP address as configured for the Management IP for the device in SIP, then you'll need to have representations of central syslog servers set up to match them.
Central syslog servers are configured in Administration > System > Data Collectors. It should be created with a descriptive name, and the IP address should be the interface that is sending logs to the data collector, if Panorama is forwarding the logs, use the Panorama's IP address here.
This tells FireMon that additional criteria is needed to match the sent logs to the respective device they originated from. After setting this up, the device configuration in FireMon will need to be updated as well.
In Administration > Device > Devices, edit the Palo Alto firewalls, set the Central Syslog Server field to the entry you created for Panorama, and set the Syslog Match Name to the serial number of the Palo Alto firewall itself. If Panorama has been added to FireMon and discovered the Palo Alto firewalls, the Syslog Match Name should automatically be set.
Article is closed for comments.