https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301180#M78640 <P>Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).</P><P>When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.</P> Thu, 28 Nov 2019 00:56:02 GMT Remo 2019-11-28T00:56:02Z https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301087#M78621 <P>I recently adding a new syslog destination at this new to me site and noticed something I hadn't seen before. That is that the sending of syslog data according to PAN Monitoring is send sporadically and in big bursts. For example when I added the new destination not long after the PAN sent one GB of syslog to all the destinations and then one small 307 byte message. Now it's not sent anything in over an hour. The Log Forwarding profile appears to have a liberal syslog info forwarding setting. e.g. All Traffic , Filter All Logs. There's tons of traffic through the FW so it should be pumping info all the time.&nbsp;</P> Wed, 27 Nov 2019 18:19:03 GMT https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301087#M78621 palomed 2019-11-27T18:19:03Z https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301179#M78639 <P>Here's a theory - is it possible that the PAN is summarizing the syslog records because they are so frequent? I'm referring to a PAN that is receiving syslog messages from another PAN say on its inside interface and those egress another Interface. The syslogging of the systems themselves are not visible in Monitoring tab as those egress the management interface. Right?</P> Wed, 27 Nov 2019 23:44:12 GMT https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301179#M78639 palomed 2019-11-27T23:44:12Z https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301180#M78640 <P>Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).</P><P>When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.</P> Thu, 28 Nov 2019 00:56:02 GMT https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301180#M78640 Remo 2019-11-28T00:56:02Z https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301200#M78641 <P>Crikey - you were absolutely correct. I looked at the details of one of those fat flow records and sure enough the start time was nearly four hours before the recorded time. I'm not sure exactly how it decides when 10MB or 1GB is the time to record the flow. But the major mystery is no longer. Thanks!</P> Thu, 28 Nov 2019 02:54:00 GMT https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301200#M78641 palomed 2019-11-28T02:54:00Z https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301205#M78642 <P>Thanks Remo on answering this.</P><P>This PA has so many features everyday we learn more about PA</P> Thu, 28 Nov 2019 03:24:27 GMT https://live.paloaltonetworks.com/t5/general-topics/the-sporadic-syslog-sender/m-p/301205#M78642 MP18 2019-11-28T03:24:27Z