topic Re: Traffic Logs missing from subset of datetime range when using certain filters? in General Topics

Traffic Logs missing from subset of datetime range when using certain filters?

Adrian_Jensen — Thu, 02 Oct 2025 20:17:47 GMT

Has anyone run into a problem with Traffic Logs not returning any results with a certain period of a larger time range? I have been running a daily traffic analysis of a particular destination network (do to a vendor issue). Today's analysis of yesterdays traffic partially failed as a roughly 15min period is completely missing from the Traffic Logs returned using the query filter:

(addr.dst in xx.xx.xx.0/24) and ( receive_time geq '2025/10/01 00:00' ) and ( receive_time leq '2025/10/01 23:59:59' ) and !( addr.src in 'yy.yy.yy.70' )

This query should return all traffic on 10/1 destinated to the xx.xx.xx.0/24 network, excluding a specific local source yy.yy.yy.70. But all logs received between 11:07:54-11:24:25 are missing from the results (roughly 10000 lines). If the source exclusion is removed from the query, then all expected results appear. If the log filter time range is narrowed to shortly before and after the time range, the results are still missing. If the log filter start time is within the missing period, none of the missing logs appear, regardless if the source exclusion is there or not.

Has anyone seen this before? After extensive testing, it seems to be some sort of deep seated log parsing error, but I haven't been able to identify a source cause yet.

Re: Traffic Logs missing from subset of datetime range when using certain filters?

JayGolf — Sat, 04 Oct 2025 02:30:08 GMT

Hi @Adrian_Jensen ,

I’ve seen situations where applying certain filters like exclusion filters in traffic log searches can cause gaps where some logs don’t appear, even though the data is present. This has been tied to under the hood bugs in certain PAN-OS versions and is addressed in later releases.

In my own experience (previously with an MSP monitoring alerts), I ran into the same behavior and had to lean on third-party SIEMs for advanced queries or large-scale analytics.

A good path forward would be to confirm your current PAN-OS version (since upgrades often resolve these issues), and in parallel, consider whether forwarding logs to an external system could give you more flexibility with the type of analysis you’re running. Also, id create a support ticket for this to bring awareness to the issue for the particular code that you are running.

Re: Traffic Logs missing from subset of datetime range when using certain filters?

Retired Member — Sat, 04 Oct 2025 09:58:29 GMT

Hi,

it can be related to the following,

PAN-273026 Fixed an issue where traffic logs did not display correctly when filters
were applied

Regards

Re: Traffic Logs missing from subset of datetime range when using certain filters?

Adrian_Jensen — Sun, 05 Oct 2025 03:21:51 GMT

Interesting. The PAN-273026 issue looks very similar to what I am seeing. I am currently running the 10.2.9-h21 release. After looking extensively at the known and address issue notes, PAN-274026 seems to only appear in 11.1 and 11.2, and the 10.2.9-h21 release was after some of the 11.x fixed releases. So it is unclear if this PAN even affects 10.2. I have a support ticket open and am waiting for a call to show the error after some previous support suggestions did not seem to apply.

Re: Traffic Logs missing from subset of datetime range when using certain filters?

Adrian_Jensen — Thu, 09 Oct 2025 19:35:46 GMT

So far I have not been able to find a direct cause. The problem has happened again in yesterday's Traffic Logs over roughly a 17min period. I have found that any query over the affected time with 2 address filters (either src and dst filters, or even two dst and dst filters) has the missing data, while only one address filter returns all the relevant data.

PA support doesn't seem to know why and are still researching. They are saying PAN-273026 and a similar PAN-266114 only affect Panorama (which I don't have), though that seems to contradicts the NGFW PAN-OS release notes.

Does anyone know of any CLI commands to re-index the logging database? I have been searching the archives/KB but not found anything yet. Logdb for database for traffic has a high ratio of log to index. The drive SMART stats don't seem to indicate any problems.

> debug logdb-usage

...

traffic: Logs: 37G, Indexes: 24G