Palo Alto Networks: Strata Logging Service (SLS) Overview

PCNSE Objective Focus (Domain 5 - 18%)

5.1 Interpret log files, reports, and graphs to determine traffic and threat trends

Understanding where logs are stored (SLS) and how they are accessed (SCM).

5.4 Monitor Network Security with the ACC, AppScope, logs, and reports

Recognizing SLS as the backend for logs viewed in SCM/ACC.

(Related Concepts)

Understanding centralized logging vs. local logging.
Knowledge of Log Forwarding Profiles.

Introduction: Cloud-Native Logging Backbone

The Strata Logging Service (SLS) is Palo Alto Networks' cloud-native, multi-tenant logging infrastructure. It serves as the primary destination for logs generated by various Palo Alto Networks products within the Strata ecosystem, including Next-Generation Firewalls (NGFWs), Prisma Access, and Prisma SD-WAN.

SLS effectively replaces Cortex Data Lake (CDL) for many newer SASE deployments and provides a scalable, secure, and centrally managed platform for log aggregation, storage, and analysis. It is tightly integrated with Strata Cloud Manager (SCM) , which acts as the primary interface for viewing and querying logs stored in SLS.

Think of SLS as the evolution of CDL, designed specifically as the logging backend for the unified Strata management platform (SCM).

Key Features and Benefits

Centralized Logging: Aggregates logs from diverse sources (NGFWs, Prisma Access, Prisma SD-WAN, GlobalProtect) into a single repository.
Cloud-Native Scalability: Built on cloud architecture, allowing it to scale automatically to handle large volumes of log data without requiring customer-managed infrastructure.
Long-Term Retention: Offers flexible options for long-term log storage to meet compliance and forensic analysis requirements (specific retention periods are typically licensed).
Unified Querying via SCM: Logs stored in SLS are primarily accessed and queried through the Strata Cloud Manager (SCM) interface (e.g., under Monitor > Logs), providing a consistent experience across different log types and sources.
Security Focused: Securely ingests and stores log data.
Integration with AIOps: SLS serves as the data foundation for the AIOps capabilities within SCM, enabling proactive threat detection, best practice analysis, and security posture assessment.
Simplified Operations: Eliminates the need for customers to deploy and manage on-premises Log Collectors or scale Panorama logging disks for primary log storage.

Architecture and Log Flow

The general flow involves log sources sending data securely to the regional SLS instance associated with the customer's tenant.

graph TD
    subgraph Log_Sources [Log Sources]
        FW(NGFWs)
        PA(Prisma Access SPNs)
        ION(Prisma SD-WAN IONs)
        GP(GlobalProtect Agents)
    end

    subgraph Logging_Transport [Log Forwarding]
        direction LR
        Fwd1[Secure Forwarding SSL/TLS]
    end

    subgraph Cloud_Services [Cloud Services]
        SLS[Strata Logging Service - Regional Instance]
        SCM[Strata Cloud Manager]
        AIOps[AIOps Engine]
        XDR[Optional Cortex XDR]
        SIEM[Optional External SIEM]
    end

    FW -- Logs via Profile --> Fwd1
    PA -- Logs Streamed --> Fwd1
    ION -- Logs via Config --> Fwd1
    GP -- Telemetry/Logs --> Fwd1

    Fwd1 --> SLS

    SLS -- Data Feed --> SCM
    SLS -- Data Feed --> AIOps
    SLS -- Data Feed --> XDR
    SLS -- Log Forwarding --> SIEM

    SCM -- Queries/Views --> SLS
    AIOps -- Analyzes --> SLS
    XDR -- Queries --> SLS

    style SLS fill:#20c997,stroke:#000,color:#fff
    style SCM fill:#007bff,stroke:#000,color:#fff
    style AIOps fill:#6f42c1,stroke:#000,color:#fff

Conceptual Log Flow to Strata Logging Service and access points.

Log Sources: Firewalls, Prisma Access nodes, SD-WAN devices, and GlobalProtect endpoints generate logs.
Forwarding: Devices are configured (via Panorama Templates, SCM, or Prisma Access settings) to forward logs securely (typically over TLS) to their designated regional SLS instance.
Storage: SLS ingests, parses, indexes, and stores the log data based on purchased capacity and retention policies.
Access & Analysis:
- SCM is the primary interface for querying and viewing logs.
- AIOps engine within SCM consumes SLS data for analysis.
- Cortex XDR can integrate with SLS for unified security investigations.
- Logs can optionally be forwarded from SLS to external SIEM systems.

Configuration Overview

Setting up logging to SLS involves configuration on the log-generating devices/services:

Activation/Licensing: SLS is typically activated as part of onboarding to Strata Cloud Manager or specific product purchases (like Prisma Access). Storage capacity and retention periods are licensed components.
NGFWs (Panorama Managed):
1. Define a Log Forwarding Profile ( Objects > Log Forwarding ) specifying criteria and adding a profile action to forward to "Cloud Logging Service".
2. Apply this profile to relevant Security, NAT, Threat, URL, etc., Policy rules within Device Groups.
3. Apply the profile within Templates ( Device > Log Settings ) for System, Config, User-ID, HIP logs.
4. Commit and Push changes from Panorama.
NGFWs (SCM Managed):
1. Define Log Forwarding Profiles within SCM ( Objects > Log Forwarding ) pointing to Cloud Logging Service.
2. Apply profiles to Policy rules and Device Log Settings within SCM configuration scopes.
3. Commit and Deploy changes from SCM.
Prisma Access (Cloud Managed / SCM): Log forwarding to the integrated SLS instance is typically configured automatically during Prisma Access onboarding or within the Prisma Access settings in SCM.
Prisma Access (Panorama Managed): Log forwarding to the integrated SLS/CDL instance is configured via Templates ( Device > Log Settings ) pointing to the cloud logging service, similar to NGFWs.
Prisma SD-WAN: Log forwarding settings are configured within the Prisma SD-WAN policy or system settings via SCM, directing logs to SLS.

The key mechanism for directing logs from PAN-OS devices (NGFW/Panorama-managed Prisma Access) is the Log Forwarding Profile object specifying "Cloud Logging Service" as the destination.

Comparison: SLS vs. CDL vs. On-Prem Logging

Feature	Strata Logging Service (SLS)	Cortex Data Lake (CDL)	On-Prem Syslog / SIEM
Deployment	Cloud-Native SaaS (PANW Managed)	Cloud-Native SaaS (PANW Managed)	Customer Managed (Hardware/VM)
Infrastructure Mgmt	None (by Customer)	None (by Customer)	Customer Responsibility (Scaling, Patching, HA, Storage)
Primary Interface	Strata Cloud Manager (SCM)	Panorama, CDL App, Cortex XDR, API	SIEM Console, Log Analysis Tools
Scalability	High (Cloud Managed)	High (Cloud Managed)	Limited by Customer Infrastructure
Primary Use Case	Logging backend for Strata platform (SCM, SASE)	Central logging for PANW products (prior to or alongside SLS)	General log aggregation, correlation with non-PANW sources
AIOps Integration	Tight integration via SCM	Can integrate with AIOps for NGFW	Requires specific SIEM integrations

SLS and CDL are both Palo Alto Networks cloud logging solutions. SLS is increasingly the standard logging backend, especially for services managed through SCM, while CDL remains relevant, particularly for environments primarily managed by Panorama.

Best Practices

Forward Relevant Logs: Configure comprehensive log forwarding for Traffic, Threat, URL, WildFire, User-ID, System, Config, etc., to ensure full visibility.
Plan Retention Needs: Determine required log retention periods based on compliance (PCI, HIPAA, etc.) and operational needs (troubleshooting, forensics) and license appropriate storage/retention tiers.
Use Log Forwarding Profiles: Leverage profiles for granular control over what logs are sent from firewalls.
Secure Forwarding: Ensure log forwarding occurs over secure channels (TLS is default for cloud logging).
Monitor Ingestion & Storage: Regularly check log ingestion rates and storage consumption within SCM or the Hub to ensure logs are being received and capacity is sufficient.
Implement RBAC: Use Role-Based Access Control within SCM to control who can view specific logs or manage logging configurations.
Consider Regionalization: Ensure logs are forwarded to the appropriate SLS region for data residency requirements.

Caveats and Considerations

Licensing Costs: Log storage volume and retention duration are licensed components and can represent a significant cost.
Connectivity: Managed devices require reliable outbound connectivity (HTTPS/TLS) to the regional SLS endpoints. Firewall rules and routing must permit this.
Data Residency: Ensure the correct SLS region is selected during setup to comply with data sovereignty requirements.
Query Performance: While scalable, querying extremely large datasets over long time ranges can impact performance. Use specific time ranges and filters.
Migration: Migrating from existing on-prem SIEM or potentially even older CDL instances to SLS requires planning.
SCM Dependency: Querying and interacting with SLS logs primarily occurs through the Strata Cloud Manager interface.

PCNSE Exam Focus

For the PCNSE exam, understand:

The purpose of Strata Logging Service (SLS) as the cloud-native logging platform for the Strata ecosystem.
Its role as the successor/alternative to Cortex Data Lake (CDL) , especially for SCM-managed environments.
The key benefits: Centralization, Scalability, Cloud-Managed .
How devices (NGFW, Prisma Access, SD-WAN) forward logs to SLS (typically via Log Forwarding Profiles configured in Panorama/SCM pointing to "Cloud Logging Service").
That Strata Cloud Manager (SCM) is the primary interface for querying SLS logs.
The importance of licensing for storage and retention.
Its role as the data source for AIOps features within SCM.

References

Refer to the official Palo Alto Networks documentation for Strata Cloud Manager and related services.

Strata Cloud Manager Documentation Home
Cortex Data Lake Getting Started (Provides foundational concepts often applicable to SLS)
Prisma Access Logging and Reporting (Discusses logging to CDL/SLS)
PAN-OS Admin Guide: Configure Log Forwarding (Details Log Forwarding Profiles)
Palo Alto Networks Certified Network Security Engineer (PCNSE) Exam Blueprint (Domain 5)

Strata Logging Service (SLS) Overview