https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511195#M106288 <P>Thank you for your time and response,&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>!</P> <P>&nbsp;</P> <P>Could you link me to the page that showed the collector group formula for the n/2+1? I must have read several pages but never once saw it!</P> <P>&nbsp;</P> <P>If several log collectors are required for the multiple log collectors to work in a single collector group, then the only choice I have is to go with the single collector in a collector group.</P> Mon, 08 Aug 2022 08:21:34 GMT mr_almeida 2022-08-08T08:21:34Z https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511100#M106280 <P>Hello all!&nbsp;</P> <P>We have had a single Panorama appliance running in Panorama mode as a local log collector in its own collector group. Firewall logs are sent to Panorama, and all is working well.</P> <P>&nbsp;</P> <P>We now have procured a second Panorama appliance for HA. Hardware, disks etc., are all the same, and I've successfully set them up in HA, synced and healthy.</P> <P>&nbsp;</P> <P>These two Panorama appliances are in different sites - though there is plenty of bandwidth and a few tens of ms latency between them. Currently, each appliance has only a single 2TB assigned to them. We don't plan to change from this setup or utilise dedicated log collectors anytime soon, and log retention fits within requirements.</P> <P>&nbsp;</P> <P>The bit I am confused about is log collectors and collector groups. Cannot decide whether to have both appliances as either:</P> <OL> <LI>Single log collector per collector group</LI> <LI>Put the secondary appliance in the same collector group as the primary appliance or multiple collectors in a single collector group.</LI> </OL> <P>Regarding multiple collectors in a collector group, I have read you can achieve redundancy, increase log retention and exceed logging rates. I am aware you need to check the box for<SPAN>&nbsp;</SPAN><CODE>enable log redundancy across collectors</CODE>. I am also mindful that the logging rate is half - so I am not sure how the logging rates are exceeded if this happens?!</P> <P>&nbsp;</P> <P>Regarding a single collector for each collector group, nothing seems to be mentioned or indicates anything about this. Why would I use this over multiple collectors in a single collector group? I know if the secondary appliance is down or lost, we lose those logs. I also assume you can still set the<SPAN>&nbsp;</SPAN><CODE>Log Forwarding Preferences list</CODE><SPAN>&nbsp;</SPAN>for both collectors in separate groups?</P> <P>&nbsp;</P> <P>Hoping someone in this space can shed some light on what they have done or chime in on what you think!</P> <P>&nbsp;</P> <P>Thank you for your time in reading and responding!</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Panorama" id="Panorama"></LI-PRODUCT>&nbsp;</P> Fri, 05 Aug 2022 08:27:19 GMT https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511100#M106280 mr_almeida 2022-08-05T08:27:19Z https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511114#M106283 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/121189">@mr_almeida</a></P> <P>&nbsp;</P> <P>you mentioned that latency is a few tens of milliseconds between each of the Panorama appliance. This could actually be an issue if both Panorama local log collectors are in the same log collector group. The latency between each of the log collector in the same log collector group should not exceed 10 milliseconds. Please have a look at this KB for more details:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK</A></P> <P>&nbsp;</P> <P>Second issue I am seeing, if your Panorama is running PAN-OS 10.0 and higher, there is a change in behavior compared to PAN-OS 9.1:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/changes-to-default-behavior" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/changes-to-default-behavior</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_0-1659704010809.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43023iE36029C208E9DC0D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_0-1659704010809.png" alt="PavelK_0-1659704010809.png" /></span></P> <P>In nutshell, if you have 2 log collectors in a single collector group and one log collector is down, the other log collector will stop working as well. The workaround is either separate each log collector into own collector group or have 3 log collectors inside the same log collector group.</P> <P>&nbsp;</P> <P>Given these 2 conditions, I personally feel that options No.1: Single log collector per collector group is better option in your case.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Fri, 05 Aug 2022 12:59:37 GMT https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511114#M106283 PavelK 2022-08-05T12:59:37Z https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511195#M106288 <P>Thank you for your time and response,&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>!</P> <P>&nbsp;</P> <P>Could you link me to the page that showed the collector group formula for the n/2+1? I must have read several pages but never once saw it!</P> <P>&nbsp;</P> <P>If several log collectors are required for the multiple log collectors to work in a single collector group, then the only choice I have is to go with the single collector in a collector group.</P> Mon, 08 Aug 2022 08:21:34 GMT https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511195#M106288 mr_almeida 2022-08-08T08:21:34Z https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511225#M106293 <P>Thank you for reply&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/121189">@mr_almeida</a></P> <P>&nbsp;</P> <P>It is mentioned in this release note:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/changes-to-default-behavior" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/changes-to-default-behavior</A>&nbsp;(Scroll down to Collector Groups).</P> <P>&nbsp;</P> <P>Regarding n/2+1, 2 log collectors in a single log collector group will work fine, however keep in mind that in worst case scenario if one log collector goes down, then the remaining one will not be operational until the one that went down comes back online. Unless you experience an outage on one log collector, you will not hit this limitation.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Mon, 08 Aug 2022 12:31:56 GMT https://live.paloaltonetworks.com/t5/general-topics/please-help-with-log-collectors-and-collector-groups-in-panorama/m-p/511225#M106293 PavelK 2022-08-08T12:31:56Z