External Logging Platform
By using an external logging platform—such as security information and event management (SIEM) system or a syslog device—you can view aggregated logs from the ESM Console and ESM Servers. You can also configure the ESM to send logs to Panorama. The ability to view Traps logs in the same context as the firewall logs allows you to correlate discrete activity observed on the network and the endpoints. Correlated events help you see the overall picture across your network and the endpoints so that you can detect any risks that evade detection or take advantage of blind spots, and strengthen your security posture well before any damage occurs.
When enabled, the ESM component forwards reports about events to the external logging platform in addition to storing logs internally. The ESM component which forwards the logs varies depending on the type of event. For example, if you monitor verdict changes, the ESM Console sends logs when you override the verdict for a hash. If WildFire changes the verdict, the ESM Server sends the logs.
You can also integrate your external logging platform with third-party monitoring tools, such as Splunk, to analyze log data. Download the Splunk app for Palo Alto Networks at https://apps.splunk.com/app/491 .
To add an external logging platform, see Forward Logs to an External Logging Platform .