06-15-2021 06:32 AM
we have configured Panorama M200 in HA , configured managed collector with local log collector , configured collector group and added local log collector of both panorama, redundancy is enabled in collector group (log forwarding preference is not configured.
Above configuration we have done to store same logs on both local log collector and enable redundancy So if complete Pri M200 box failed , we will have same logs in Sec M200 local log collector.
But as per configuration logging is not happening properly on secondary panorama , there is a difference in system dis-space utilization
Also we sec panorama log collector not receiving any log ( as per our requirement and redundancy conifg secondaryM200 also should store the logs)
is there any configuration issue , or the output in sec m200 is normal ? how we can check same logs are store or not in sec M200 ?
We are able to see same logs in both M200 webgui , as per my understanding its because of collector group config .
06-15-2021 07:42 AM - edited 06-15-2021 07:43 AM
I do not think from sec M200 CLI you will see incoming logs.
Please read this
06-15-2021 08:38 AM
Thank you for information.
I have read many articles to investigate on this issue. Due to differences in disk utilization we want to check logging on sec m200. Also redistribution state is already completed and status is none when we deployed sec m200 in HA with pri M200 five month back. Due to pci standard logging is very important for us.
06-15-2021 08:45 AM - edited 06-15-2021 08:51 AM
So you mean you added sec M200 after few months to Primary M200 right?
We also have M200 in HA mode.
When I do shutdown of Primary M200 then Sec M200 becomes Primary and I can see old traffic logs there.
This tells me that logs are in syn between both.
06-15-2021 09:22 AM - edited 06-15-2021 09:24 AM
Yes, we have deployed pri m200 in 2019 and due to pci standard we have added secondary panorama in 2020.
Hv u configured same setting , can u please share your settings
06-15-2021 09:46 AM
We have check mark Enable log redundancy across collectors.
And Firewall is added to M200.
From FW CLI
show log-collector preference-list
Log Collector Preference List
Forward to all: No
Serial Number: 007307001xxx IP Address: 10.7.2.104 IPV6 Address: unknown
Serial Number: 007307001xxx IP Address: 10.7.2.103 IPV6 Address: unknown
fw send logs to Primary M200 and if it is down then it will send to another one.
06-15-2021 09:54 AM
Thanks for sharing the setting.
We have same setting only log forwarding preference list not configured as we want to forward logs to both local log collector.
I think theoretically , If redundancy is enabled no point of creating log forwarding preference list as logs getting stored in both managed collectors.
Please correct me if I am wrong.
06-15-2021 10:00 AM
you need preference list as if one log collector dies then firewall will not send logs to another collector in preference list.
Also you will get system alert emails that fw has lost connection to log collector.
06-23-2021 05:00 PM
Also you can see logs on secondary Panorama by show log traffic command from CLI.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!