01-06-2020 07:18 AM
Hi team,
i have deployed palo alto firewall on AWS environment and ran into some issues when trying to send the logs over to a syslog server.
when i use a syslog server that is not in the same subnet as the management interface and tried to manually set the right 1.interface in the service route configuration it didnt let me choose any of mu interfaces.
2. after i changed the syslog server to be in the same subnet as the management interface and in the service route configuration changed it back to use management interface the logs did not arrive to the syslog server..
debug log-reciever statistics output:
Logging statistics
------------------------------ -----------
Log incoming rate: 0/sec
Log written rate: 0/sec
Corrupted packets: 0
Corrupted URL packets: 0
Corrupted HTTP HDR packets: 0
Corrupted HTTP HDR Insert packets: 0
Corrupted EMAIL HDR packets: 0
Logs discarded (queue full): 0
Traffic logs written: 1016
GTP logs written: 0
Tunnel logs written: 0
Auth logs written: 0
Userid logs written: 0
SCTP logs written: 0
URL logs written: 0
Wildfire logs written: 0
Anti-virus logs written: 0
Widfire Anti-virus logs written: 0
Spyware logs written: 0
Spyware-DNS logs written: 0
Attack logs written: 0
Vulnerability logs written: 0
Fileext logs written: 0
Fileext logs URL not written: 0
Fileext logs URL not written (timedout): 0
URL cache age out count: 0
URL cache full count: 0
URL cache key exist count: 0
URL cache wrt incomplete http hdrs count: 0
URL cache rcv http hdr before url count: 0
URL cache full drop count(url log not received): 0
URL cache age out drop count(url log not received): 0
Email hdr cache count: 0
Email hdr cache hit count: 0
HTTP hdr insertion received: 0
HTTP hdr insertion processed: 0
HTTP hdr insert no URL drop count: 0
HTTP hdr insert with invalid URL log: 0
HTTP hdr insert with values exceeded max allowed length: 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Netflow incoming count: 0
Log Forward count: 1
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Total logs not written due to disk unavailability: 0
Logs not written since disk became unavailable: 0
DPI logs received: 0
HIP Report logs received: 0
Summary Statistics:
Num current entries in trsum:0
Num cumulative entries in trsum:12
Num current entries in thsum:0
Num cumulative entries in thsum:0
Num current entries in urlsum:0
Num cumulative entries in urlsum:0
Num current entries in gtpsum:0
Num cumulative entries in gtpsum:0
Num current entries in sctpsum:0
Num cumulative entries in sctpsum:0
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
Num current drop entries in urlsum:0
Num cumulative drop entries in urlsum:0
Num current drop entries in gtpsum:0
Num cumulative drop entries in gtpsum:0
Num current drop entries in sctpsum:0
Num cumulative drop entries in sctpsum:0
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 7 7 0 0 0
snmp 0 0 0 0 0
email 0 0 0 0 0
raw 0 0 0 0 0
http 0 0 0 0 0
autotag 0 0 0 0 0
amqp 0 0 0 0 0
show logging-status output:
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
>Log Collector
Not Sending to Log Collector
Best Regards,
Alex
01-08-2020 07:17 AM
Hello,
Are they not in the monitor tab->traffic? Is there traffic hitting the policies? Sounds like a setting got missed. I would follow the steps again just to double check and make sure. If everything looks correct, then I would create the TAC case.
Regards,
01-06-2020 09:03 AM
Hello,
Check and see if the logs are getting sent out of the management interface:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS
Also make sure in the AWS security policies you are allowing the traffic.
Regards,
01-07-2020 12:59 AM - edited 01-07-2020 01:39 AM
Hi @OtakarKlier ,
i fixed the issue with changing the format of the logs apparently when shipping logs over tcp you have to use IETF format and not BSD.
but now i ran into new issues first of all the only logs that i receive is that the syslog connection was established and second of all i do not get any authentication logs regarding the web ui or CLI.
Alex.
01-07-2020 07:31 AM
Hello,
Those are enabled in the Device->Log Settings area. If everything is setup correctly and you're still not getting logs, I would open a TAC case.
Regards,
01-08-2020 12:55 AM
hi i can see the access logs now but still can not see the traffic ones ?
any ideas or should i open a TAC case?
01-08-2020 07:17 AM
Hello,
Are they not in the monitor tab->traffic? Is there traffic hitting the policies? Sounds like a setting got missed. I would follow the steps again just to double check and make sure. If everything looks correct, then I would create the TAC case.
Regards,
01-09-2020 01:17 AM
there is no traffic in the monitor tab under traffic and the weird issue is that i had traffic there before i configured the syslog server.
in any case i did open a case to the support hopefully they could resolve my issue.
Alex.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
