https://live.paloaltonetworks.com/t5/general-topics/panorama-with-log-collectors/m-p/449540#M100953 <P>Thank you for posting question&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/155683">@RobertShawver</a></P><P>&nbsp;</P><P>Based on my experience, the logs from Firewall to Panorama are sent almost instantly. Under normal circumstances there should not be a&nbsp; significant time gap between logs on Firewall and Panorama. In my case, I can see logs in Panorama within a few minutes. If you see this issue, could you check the output on log collector from this command:</P><P>&nbsp;</P><P><STRONG>debug log-collector log-collection-stats show incoming-logs</STRONG></P><P>&nbsp;</P><P>If you see any value than 0 under:&nbsp;<STRONG>Fails</STRONG>, this might indicate an issue.</P><P>&nbsp;</P><P>If you have multiple log collectors ensure that there is latency less than 10ms between each log collector. Here is corresponding KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK</A></P><P>&nbsp;</P><P>Could you also check the logging rate and health of Elastic Search:</P><P>&nbsp;<STRONG>show log-collector-es-cluster health</STRONG></P><P>&nbsp;<STRONG>show log-collector detail | match logs</STRONG></P><P>&nbsp;</P><P>Could you also make sure that Firewall and Panorama/Log Collector are using the same time zone?</P><P>&nbsp;</P><P>Regarding syslog exporting from Panorama to 3d party server, I can see some time gap which varies through out the day. Likely depending on load. I have not found any good way to troubleshoot /debug it to narrow down a root cause. Every time, I saw that server does not get any data, i took a pcap on log collector to confirm it is being sent by log collector or not.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel&nbsp;</P><P>&nbsp;</P> Fri, 26 Nov 2021 00:37:24 GMT PavelK 2021-11-26T00:37:24Z https://live.paloaltonetworks.com/t5/general-topics/panorama-with-log-collectors/m-p/449279#M100915 <P>Here is the set up.&nbsp; Palo FW HA pairs send logs to Panorama and Log Collectors.&nbsp; Log Collectors send logs to l<SPAN>ong term archival (LTA) such as LogRhythm.</SPAN></P><P>&nbsp;</P><P><SPAN>Here is the issue, long term storage is not seeing the latest logs.&nbsp; I guess what I don't understand is the timing.&nbsp; When/how often are logs sent from the FW's to Panorama/Loggers and then when/how often do the Loggers send them off to LTA?</SPAN></P><P>&nbsp;</P><P><SPAN>I get that logs may roll on Panorama based on disk size, but was under the impression that latest logs should be at least reasonably close if I search for a recent for events on Panorama traffic logs and LTA.</SPAN></P> Wed, 24 Nov 2021 17:49:57 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-with-log-collectors/m-p/449279#M100915 RobertShawver 2021-11-24T17:49:57Z https://live.paloaltonetworks.com/t5/general-topics/panorama-with-log-collectors/m-p/449540#M100953 <P>Thank you for posting question&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/155683">@RobertShawver</a></P><P>&nbsp;</P><P>Based on my experience, the logs from Firewall to Panorama are sent almost instantly. Under normal circumstances there should not be a&nbsp; significant time gap between logs on Firewall and Panorama. In my case, I can see logs in Panorama within a few minutes. If you see this issue, could you check the output on log collector from this command:</P><P>&nbsp;</P><P><STRONG>debug log-collector log-collection-stats show incoming-logs</STRONG></P><P>&nbsp;</P><P>If you see any value than 0 under:&nbsp;<STRONG>Fails</STRONG>, this might indicate an issue.</P><P>&nbsp;</P><P>If you have multiple log collectors ensure that there is latency less than 10ms between each log collector. Here is corresponding KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK</A></P><P>&nbsp;</P><P>Could you also check the logging rate and health of Elastic Search:</P><P>&nbsp;<STRONG>show log-collector-es-cluster health</STRONG></P><P>&nbsp;<STRONG>show log-collector detail | match logs</STRONG></P><P>&nbsp;</P><P>Could you also make sure that Firewall and Panorama/Log Collector are using the same time zone?</P><P>&nbsp;</P><P>Regarding syslog exporting from Panorama to 3d party server, I can see some time gap which varies through out the day. Likely depending on load. I have not found any good way to troubleshoot /debug it to narrow down a root cause. Every time, I saw that server does not get any data, i took a pcap on log collector to confirm it is being sent by log collector or not.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel&nbsp;</P><P>&nbsp;</P> Fri, 26 Nov 2021 00:37:24 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-with-log-collectors/m-p/449540#M100953 PavelK 2021-11-26T00:37:24Z