https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507330#M105727 <P>Thank you for reply and your comment&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139416">@future</a></P> <P>&nbsp;</P> <P>I am sure you must have a good reason to keep both "Log at Session Start" and "Log at Session End" enabled. Just in case here is a KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC</A>&nbsp;where Palo Alto does not recommend to keep both options enabled unless you are performing a troubleshooting.</P> <P>&nbsp;</P> <P>After you perform the upgrade to 9.1.14 and you are still experiencing an issue where logs are available on Firewall locally, but missing in Panorama, then if you see any Fails in the output: "debug log-collector log-collection-stats show incoming-logs | match Fails" there are at least 2 possible root causes I can think of:</P> <P>&nbsp;</P> <P>- If you have distributed environment with multiple log collectors and there is a latency between log collectors more than 10ms, this might result log loss. Here is corresponding KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK</A></P> <P>&nbsp;</P> <P>- High logging rate from Firewall side that will cause failing to write logs to disk. This will however require more investigation.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 30 Jun 2022 05:55:29 GMT PavelK 2022-06-30T05:55:29Z https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507048#M105724 <P>When creating the Security Policy Rule, 'Log at Session Start/End' was all selected as Actions.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Policy Actions.png" style="width: 698px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/42043i46BDC2CBA5575602/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Policy Actions.png" alt="Policy Actions.png" /></span></P> <P>After this, when I check the log in Panorama, only the End Log is visible and the Start Log is not visible.<BR />Also, sometimes this logs are not visible.</P> <P>&nbsp;</P> <P>In Panorama, there are cases where the log cannot be seen or some logs (Session Start) are not visible like this.<BR />What causes this to happen?</P> <P>&nbsp;</P> <P>Could there be a lot of traffic logs and some logs might be missing from Panorama?<BR />Has anyone had a similar experience?</P> Wed, 29 Jun 2022 11:45:40 GMT https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507048#M105724 future 2022-06-29T11:45:40Z https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507082#M105725 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139416">@future</a></P> <P>&nbsp;</P> <P>troubleshooting Panorama missing logs is complex and requires more input from your side.</P> <P>&nbsp;</P> <P>First thing, could you confirm what PAN-OS version you are running on Firewall? If you are in 9.1 release, then I would recommend upgrade to 9.1.14. In this version there is a bug fix:&nbsp;PAN-185616&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_0-1656507414174.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/42048iA865540FF98E5241/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_0-1656507414174.png" alt="PavelK_0-1656507414174.png" /></span></P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-14-addressed-issues" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-14-addressed-issues</A></P> <P>I confirmed with TAC that this is not only limited to syslog, but also affects sending logs to Panorama.</P> <P>&nbsp;</P> <P>Could you also check Panorama log collector side to confirm from CLI whether there are any Fails:</P> <P><STRONG>debug log-collector log-collection-stats show incoming-logs | match Fails</STRONG></P> <P>If the number of Fails is anything other than 0, this indicates that some logs are failing to be written to disks.</P> <P>&nbsp;</P> <P>Could you also confirm what PAN-OS version you are running on Panorama and whether you are using dedicated log collectors or local log collector.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 29 Jun 2022 13:08:45 GMT https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507082#M105725 PavelK 2022-06-29T13:08:45Z https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507293#M105726 <P>Thanks for the very kind reply.</P> <P>&nbsp;</P> <P>I will check further base your advice.<BR />I was impressed by the positive and complete response.<BR />Thank you very much.</P> <P>&nbsp;</P> <P>After additional confirmation, we will deliver happy news when it is complete.<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Thu, 30 Jun 2022 01:26:57 GMT https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507293#M105726 future 2022-06-30T01:26:57Z https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507330#M105727 <P>Thank you for reply and your comment&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139416">@future</a></P> <P>&nbsp;</P> <P>I am sure you must have a good reason to keep both "Log at Session Start" and "Log at Session End" enabled. Just in case here is a KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC</A>&nbsp;where Palo Alto does not recommend to keep both options enabled unless you are performing a troubleshooting.</P> <P>&nbsp;</P> <P>After you perform the upgrade to 9.1.14 and you are still experiencing an issue where logs are available on Firewall locally, but missing in Panorama, then if you see any Fails in the output: "debug log-collector log-collection-stats show incoming-logs | match Fails" there are at least 2 possible root causes I can think of:</P> <P>&nbsp;</P> <P>- If you have distributed environment with multiple log collectors and there is a latency between log collectors more than 10ms, this might result log loss. Here is corresponding KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK</A></P> <P>&nbsp;</P> <P>- High logging rate from Firewall side that will cause failing to write logs to disk. This will however require more investigation.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 30 Jun 2022 05:55:29 GMT https://live.paloaltonetworks.com/t5/general-topics/questions-missing-panorama-log/m-p/507330#M105727 PavelK 2022-06-30T05:55:29Z