Traffic Log is Not Generated and Not Displayed on the WebGUI after Changing Back Time

Printer Friendly Page

Symptom

After changing back time manually, the WebGUI stops showing the traffic log.

 

Troubleshooting Steps

  • Run the show log traffic direction equal backward command and see if the traffic log is displayed on CLI. If so, it is a WebGUI issue.
  • Run the debug log-receiver statistics command and see if "Traffic logs written" gets counted up.

> debug log-receiver statistics

 

Logging statistics

-----------------------------------------

Log incoming rate: 0/sec

Log written rate: 0/sec

Corrupted packets: 0

Corrupted URL packets: 0

Logs discarded (queue full): 0

Traffic logs written: 1292

 

  • Run the debug log-receiver on debug command to enable log-receiver debug log. Next, run tail follow yes mp-log logrcvr.log and look for following messages:
    > tail follow yes mp-log logrcvr.log

 

Feb 24 14:09:50 pan_logrcvr(pan_log_receiver.c:1806): real data

Feb 24 14:09:50 pan_logrcvr(pan_log_receiver.c:1764): try select

Feb 24 14:09:53 pan_logrcvr(pan_log_receiver.c:1796): pipe data

Feb 24 14:09:53 pan_logrcvr(pan_log_receiver.c:1764): try select

 

Cause

The request from the GUI to retrieve the logs has a time stamp in it. When the time is manually changed back, it creates the mismatch between the GUI time stamp and the logs, so the system does not retrieve logs.

 

Workaround

Since this happens in such a specific scenario, the issue can be avoided by not changing back the time manually. If this scenario occurs, it can be recovered by running the following CLI command:

 

Pre PAN-OS 7.0
> debug software restart log-receiver

starting from PAN-OS 7.0
> debug software restart process log-receiver

 

owner: ymiyashita

Tags (4)
Comments

Is there an updated version of this article for 7.0 code? I can't seem to find one.

 

The log-receiver commands seem to have changed. I assume they are logd now but I still cannot find the right syntax to get this data.

 

In my case, we have restarted Panorama with no effect, so I am guessing this is not the fix I need anyways. We are going to try to remove the managed device from Panorama and re-add it to reset SIC between them.

 

If there's an easier way, someone let me know! :)

 

Thanks!

Hi greynolds,

 

In 7.0 the syntax changed slightly.

To restart the log-receiver process in 7.0 (and 7.1) : 

 

> debug software restart process log-receiver

 

Cheers,

-Kim.

Hi,

 

no 'debug log-receiver' command exists in v7.x

 

What's the correct command to see the statistics?


regards,

Philippe

Hi @philippe_boeij

 

this command still exists in both 7.0 and 7.1 it is possible your admin account on the firewall is restricted and debug commands may not be enabled, please check using a superuser account

 

 

Hi,

 

the account used has superuser rights.

 

To avoid that part: I downloaded a fresh Panorama, upgraded it to v7.1.4 and used the built-in 'admin' account:

 

login as: admin
Using keyboard-interactive authentication.
Password:
Last login: Wed Sep 14 12:15:53 2016

Number of failed attempts since last successful login: 0


Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.
admin@Panorama> debug log ?
> log-collector          log-collector
> log-collector-group    log-collector-group
> log-output-need-utf8   system option to support utf8 for log output
> logd                   logd
> logdb-usage            Report logdb usage

admin@Panorama> debug log-receiver statistics

 

Invalid syntax.
admin@Panorama>

 

 

Or do I need to enable that debug command?

 

Regards

Hi @philippe_boeij

 

ok! panorama is a different story :)

for panorama (since it doesn't have a log receiver) the command is 

 

> debug log-collector log-collection-stats show incoming-logs 

Hi,

 

@reaper, thank you so much for this clarification!

 

Regards,

Philippe

 Hi I am also facing the same problem I am using VM series PanOS 7 ..I have tried all the solutions given in foroum but still no luck

hi @anuragmasih did you manually change your system's time? As the scenario above only applies if you manually changed the system time

 

For a VM firewall there needs to be a support license installed for it to collect logs, did you make sure the vm is activated and has a valid license ? If yes, you will want to reach out to support to investigate this further. If no, you will first need to activate your VM before it will start collecting log files

hi @reaper ...at present I dont have license as i am just evaluating this in Lab .... can you please advice if we can forward the logs to syslog server or this too needs license activation ?

Without a license, the VM will not generate any logs. Log forwarding takes place after log generation so you will need a license: you can reach out to your local sales team for trial options