https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392494#M90904 <P>I had to give you a like for the Linux client&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a>, because you're right ; - )<span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 21 Mar 2021 02:44:11 GMT BPry 2021-03-21T02:44:11Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387354#M90360 <P>I have a active-standby panorama cluster version 8.1.17 that manages about 40 firewalls.&nbsp; The active-cluster panorama is also a log collector-group.</P><P>20 firewalls send traffic/threat/URL logs to active panorama and the other 20 firewalls send traffic/threat/URL logs to the standby panorama.&nbsp; From there, I configure panorama to forward these logs to syslog splunk.&nbsp; I have PAN TAC support look at the configuration and they confirm the setup is good.</P><P>&nbsp;</P><P>Here is the issue.&nbsp; When I use the command "less mp-log syslog-ng.log", I can see the drop increment from panorama to the syslog splunk every 30 minutes or so.&nbsp; The counter is measured every ten minutes.&nbsp; On the syslog Splunk side, they confirmed that the traffic never arrived in tcpdump (syslog is clear text so we can decode the missing logs).&nbsp;</P><P>&nbsp;</P><P>I've opened a ticket with PAN support and waiting to hear back from them but it is currently with the first tier level TAC support so not much hope so far.</P><P>&nbsp;</P><P>Why would panorama stop forwarding log to external syslog splunk?&nbsp; Has anyone seen this issue before?</P><P>&nbsp;</P><P>TIA.</P> Tue, 23 Feb 2021 13:55:15 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387354#M90360 dtran 2021-02-23T13:55:15Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387366#M90362 <P>have you tracked global counters and log forwarder statistics? maybe the log rate is too high for it to be able to complete each forward</P> Tue, 23 Feb 2021 14:09:24 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387366#M90362 reaper 2021-02-23T14:09:24Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387412#M90368 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>:&nbsp; What is the command do you recommend?&nbsp; I am using "<SPAN>debug log-collector log-collection-stats show log-forwarding-stats | match syslog</SPAN>" and I am seeing this:</P><P>&nbsp;</P><P><SPAN>syslog enqueued count: 3260998077<BR />syslog sent count: 3260769863<BR />syslog dropped count: 422974378<BR />syslog Queue depth: 0</SPAN></P><P>&nbsp;</P><P><SPAN>What do you mean by the log rate is too high?&nbsp; My panorama is running in AWS with the biggest available EC2 available.</SPAN></P> Tue, 23 Feb 2021 16:18:45 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387412#M90368 dtran 2021-02-23T16:18:45Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387474#M90375 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a>,</P> <P>So just because you deploy an ever bigger instance doesn't mean it'll handle the amount of logs being generated. You pretty quickly run into an area of diminishing/no return on additional resources.&nbsp;</P> Tue, 23 Feb 2021 20:56:34 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387474#M90375 BPry 2021-02-23T20:56:34Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387498#M90384 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>:&nbsp; My instance is 16CPU with 64GB RAM.&nbsp; According to PAN, it is capable of handling of 10,000 logs/sec.&nbsp; Maximum logs/sec in my situation is around 4,500 logs/sec so I have plenty of resource on the Panorama to handle the log.&nbsp; Waiting for the next move from TAC support.</P> Wed, 24 Feb 2021 00:09:07 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387498#M90384 dtran 2021-02-24T00:09:07Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387708#M90411 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a>&nbsp;</P> <P>&nbsp;</P> <P>Please keep us posted what TAC says about this.</P> <P>&nbsp;</P> <P>Regards</P> Thu, 25 Feb 2021 03:52:00 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/387708#M90411 MP18 2021-02-25T03:52:00Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392038#M90841 <P>Just a quick update on this issue.</P><P>&nbsp;</P><P>It turned out that my log collectors spiked to 15K/sec for incoming log and the instance we have is only for 10K/sec for incoming logs.&nbsp; I am going to increase the size, CPU and memory, of the AWS EC2 instance.&nbsp; Hopefully, it will go away.</P><P>&nbsp;</P> Thu, 18 Mar 2021 13:33:35 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392038#M90841 dtran 2021-03-18T13:33:35Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392053#M90844 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a> ,</P><P>I am curios how did you find the spikes?</P><P>&nbsp;</P><P>Thanks!</P> Thu, 18 Mar 2021 14:02:30 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392053#M90844 aleksandar.astardzhiev 2021-03-18T14:02:30Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392439#M90895 <P>I use a python to log into Panorama every 5 seconds and run these three commands and pipe them into an ascii file:</P><P>&nbsp;</P><P>show clock | match GMT</P><P>Sat Mar 20 07:40:04 GMT 2021<BR />&gt; debug log-collector log-collection-stats show log-forwarding-stats | match "syslog dropped count"<BR />syslog dropped count: 23026208<BR />&gt; debug log-collector log-collection-stats show incoming-logs | match "Incoming"<BR />Incoming log rate = 1389.45</P><P>&nbsp;</P><P>Then I use grep and awk to find out if the count the diff in the dropped count and Incoming log rate base on the timestamp.&nbsp;</P><P>&nbsp;</P><P>PAN TAC support also has something similar but they run it in Teraterm for Windows.&nbsp; Real engineers use Linux <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 20 Mar 2021 07:46:42 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392439#M90895 dtran 2021-03-20T07:46:42Z https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392494#M90904 <P>I had to give you a like for the Linux client&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a>, because you're right ; - )<span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 21 Mar 2021 02:44:11 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-is-dropping-lot-of-traffic-to-syslog-splunk/m-p/392494#M90904 BPry 2021-03-21T02:44:11Z