https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/483445#M104350 <P>I can't use syslog for some reason which I can't share here.</P><P>&nbsp;</P><P>Any idea how to achieve my goal from LogCollector perspective?</P><P>&nbsp;</P><P>Regards</P><P>SLawek</P> Thu, 28 Apr 2022 06:58:03 GMT S_Owoc 2022-04-28T06:58:03Z https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/483128#M104329 <P>Hi Community</P><P>&nbsp;</P><P>I'm looking for the possibility to be notified (trap/snmp/Panorama event) in the situation that a particular FW which is assigned to LogCollector for some reason stopped sending traffic to it. Let's assume that if there is a 1h gap I want to be notified.</P><P>For some reason, I'm not considering implementing Syslog here.</P><P>&nbsp;</P><P>When such a situation has occurred FW is logging:</P><P>( description contains 'Failed to connect to address: X.X.X.X port: 3978, conn id: lr-X.X.X.X-def' )</P><P>( description contains 'Number of hints on disk has exceeded 5000 due to log forward failures.' )</P><P>&nbsp;</P><P>I know that I can set up under Device&gt;LogSettings new entry like the below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1862.png" style="width: 797px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/40480i9595DED26C458785/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot_1862.png" alt="Screenshot_1862.png" /></span></P><P>But this solution will generate an event on Panorama with severity informational (as the original event "'Failed to connect to address" was") when I'd like to have it marked as critical. Moreover, such config must be deployed to all FW, when we have just one LogCollector per dozens of FW. That's why I'm looking for something more clever <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P><P>Currently, this is my idea, its not tested but I'm pretty sure that guys here had the same problem and maybe someone will share the working solution here.</P><P>&nbsp;</P><P>with regards</P><P>Slawek</P> Wed, 27 Apr 2022 12:12:56 GMT https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/483128#M104329 S_Owoc 2022-04-27T12:12:56Z https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/483416#M104347 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138089">@S_Owoc</a>,</P><P>Why aren't you considering implementing a simple syslog server that you could use to handle these alerts? If that's out, I would just have the device send an email/Slack alert itself so you know there's actually a problem.&nbsp;</P> Thu, 28 Apr 2022 00:56:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/483416#M104347 BPry 2022-04-28T00:56:22Z https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/483445#M104350 <P>I can't use syslog for some reason which I can't share here.</P><P>&nbsp;</P><P>Any idea how to achieve my goal from LogCollector perspective?</P><P>&nbsp;</P><P>Regards</P><P>SLawek</P> Thu, 28 Apr 2022 06:58:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/483445#M104350 S_Owoc 2022-04-28T06:58:03Z https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/484011#M104404 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138089">@S_Owoc</a> ,</P><P>Only approach I can think of right now is forwarding that logs to Email relay.</P><P>- Create log system log forwarding profile, similar to your screenshot</P><P>- Select Email for forwarding method and create email profile with email relay that will accept email from the firewall.</P><P>- Configure all of this with separate template, that you can assign to any template stack that you want and have it pushed to all firewalls that you manage. You can use template variables to use different IP addresses for the mail relay if the firewalls are in different locations/regions and cannot reach same relay.</P><P>&nbsp;</P><P>I don't have practical experience with dedicated log collectors, but I am wondering wouldn't the log collector/panorama generate similar log if it loss connectivity with firewall? If so you can again have log forwarding to email, but from log collector perspective.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 01 May 2022 06:07:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/484011#M104404 aleksandar.astardzhiev 2022-05-01T06:07:15Z https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/484803#M104456 <P>Hi guys,</P><P>&nbsp;</P><P>This link seems to be a good starting point:</P><P><A href="https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/administer-panorama/monitor-panorama/monitor-panorama-and-log-collector-statistics-using-snmp" target="_blank">https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/administer-panorama/monitor-panorama/monitor-panorama-and-log-collector-statistics-using-snmp</A></P><P>&nbsp;</P><P>log forwarding status from individual firewalls to Panorama and external servers.</P><P>Unfortunately, there is no OID listed for these values, has anyone idea where to find them?</P><P>&nbsp;</P><P>Regards</P><P>SLawek</P> Wed, 04 May 2022 12:22:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-we-can-monitor-detect-that-particular-fw-stopped-sending/m-p/484803#M104456 S_Owoc 2022-05-04T12:22:37Z