Log Collector Setting Does Not Clear on the Palo Alto Networks Firewall

Printer Friendly Page

Issue

Once Palo Alto Networks firewall is configured to forward logs to a Log Collector, the preference remains on the firewall even after the setup is changed to not use that Log Collector.

For example, a Palo Alto Networks device was connected to M-100 Log Collector which IP address was 10.128.18.55.

The followings are the command output on Palo Alto Networks device.

> show logging-status

-----------------------------------------------------------------------------------------------------------------------------

      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded

-----------------------------------------------------------------------------------------------------------------------------

> CMS 0

        Not Sending to CMS 0

> CMS 1

        Not Sending to CMS 1

> Log Collector

'Log Collector log forwarding agent' is active and connected to 10.128.18.55

    config         Not Available         Not Available                        0                   0                        0

    system         Not Available         Not Available                        0                   0                        0

    threat         Not Available         Not Available                        0                   0                        0

   traffic   2014/07/10 17:49:05   2014/07/10 17:49:17                   795511              795443                     8286

  hipmatch         Not Available         Not Available                        0                   0                        0

> show log-collector preference-list

Log collector Preference List

Serial Number: 003001000638 IP Address: 10.128.18.55 IPV6 Address:

Then, the M-100 Log Collector was taken away from the network without committing the changes to Log Collector group. The setting of Palo Alto Networks device was changed to connect to Panorama-VM which IP address is 10.128.18.50 and there's no Log Collector in this case. The Palo Alto Networks device still tries to connect to the M-100 Log Collector (10.128.18.55). This symptom persists even after rebooting the device.

The following are logs and command output on Palo Alto Networks device:

> less mp-log ms.log

Jan 21 15:27:49 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:509): COMM: cannot connect. remote ip=10.128.18.55 port=3978 err=Connection refused(111) sock=14

Jan 21 15:27:49 Error: pan_lcsa_tcp_channel_setup(src_panos/lcs_agent.c:414): Could not get log collector local address for socket:0

> show log-collector preference-list

Log collector Preference List

Serial Number: 003001000638 IP Address: 10.128.18.55 IPV6 Address:

> show logging-status

-----------------------------------------------------------------------------------------------------------------------------

      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded

-----------------------------------------------------------------------------------------------------------------------------

> CMS 0

        Not Sending to CMS 0

> CMS 1

        Not Sending to CMS 1

> Log Collector

'Log Collector log forwarding agent' is active but not connected

    config         Not Available         Not Available                        0                   0                        0

    threat         Not Available         Not Available                        0                   0                        0

   traffic         Not Available         Not Available                        0              409746                        0

  hipmatch         Not Available         Not Available                        0                   0                        0

Resolution

Run following CLI commands on the Palo Alto Networks firewall to delete the Log Collector preference list:

  1. Delete the Log Collector preference list:
    > delete log-collector preference-list
  2. Restart the management server:
    > debug software restart management-server

owner: ymiyashita

Tags (7)
Comments

I just ran into this in a case, and the only difference is the log-collector group and collector were removed from Panorama and commits done against Panorama, Collector Group AND Device Groups.  Yet, I still see a firewall with the log-collector configuration pointed at the non-configured collector.   Problem is, the collector is still running, so firewall is forwarding logs to it.

This needs a fix!  Thanks for the heads-up and workaround.

Thx,

--Felix

Hi Felix,

Thanks for your comment. I hope that the command helped to resolve your issue.

Palo Alto Networks firewall gets the log-collector info from Panorama. If you removed the log-collector setting from Panorama and committed the change against Collector Group while there was a connectivity between Palo Alto Networks firewall and Panorama, it should have been reflected to the setting on Palo Alto Networks firewall.

If it didn't work in that way, I'd advise you to open a support case to look into it further.

Thanks,

Yasu