This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

collector group with redundancy not working properly

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

collector group with redundancy not working properly

Deepak25
L3 Networker

‎06-15-2021 06:32 AM

we have configured Panorama M200 in HA , configured managed collector with local log collector , configured collector group and added local log collector of both panorama,  redundancy is enabled in collector group (log forwarding preference is not configured.

 

Above configuration we have done to store same logs on both local log collector and enable redundancy So if complete Pri M200 box failed , we will have same logs in Sec M200 local log collector.

But as per configuration logging is not happening properly on secondary panorama , there is a difference in system dis-space utilization

Deepak25_0-1623763316613.png

Also we sec panorama log collector not receiving any log ( as per our requirement and redundancy conifg secondaryM200 also should store the logs)

Deepak25_1-1623763766133.png

 

is there any configuration issue , or the output in sec m200 is normal ? how we can check same logs are store or not in sec M200 ?

 

We are able to see same logs in both M200 webgui , as per my understanding its because of collector group config .

0 Likes Likes
8 REPLIES 8

MP18
Cyber Elite
Cyber Elite

‎06-15-2021 07:42 AM - edited ‎06-15-2021 07:43 AM

@Deepak25 

 

I do not think from sec M200 CLI you will see incoming logs.

Please read this 

 

If you select this option, each log in the Collector Group will have two copies and each copy will reside on a different Log Collector. This redundancy ensures that, if any one Log Collector becomes unavailable, no logs are lost: you can see all the logs forwarded to the Collector Group and run reports for all the log data. Log redundancy is available only if the Collector Group has multiple Log Collectors and each Log Collector has the same number of disks.
After you enable redundancy, Panorama redistributes the existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama > Collector Groups page, the Log Redistribution State column indicates the completion status of the process as a percentage. All the Log Collectors for any particular Collector Group must be the same model: for example, all M-500 appliances or all Panorama virtual appliances.
 
Because enabling redundancy creates more logs, this configuration requires more storage capacity. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. (When a Collector Group runs out of space, it deletes older logs.)
 
Regards
MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Deepak25
L3 Networker
In response to MP18

‎06-15-2021 08:38 AM

Thank you for information.

I have read many articles to investigate on this issue. Due to differences in disk utilization we want to check logging on sec m200. Also redistribution state is already completed and status is none when we deployed sec m200 in HA with pri M200 five month back. Due to pci standard logging is very important for us. 

0 Likes Likes

MP18
Cyber Elite
Cyber Elite
In response to Deepak25

‎06-15-2021 08:45 AM - edited ‎06-15-2021 08:51 AM

@Deepak25 

 

So you mean you added sec M200 after few months to Primary M200 right?

We also have M200 in HA mode.

 

When I do shutdown of Primary M200 then Sec M200 becomes Primary and I can see old traffic logs there.

This tells me that logs are in syn between both.

 

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Deepak25
L3 Networker
In response to MP18

‎06-15-2021 09:22 AM - edited ‎06-15-2021 09:24 AM

Yes, we have deployed pri m200 in 2019 and due to pci standard we have added secondary panorama in 2020. 

Hv u configured same setting , can u please share your settings 

0 Likes Likes

MP18
Cyber Elite
Cyber Elite
In response to Deepak25

‎06-15-2021 09:46 AM

@Deepak25 

 

We have check mark Enable log redundancy across collectors.

And Firewall is added to M200.

 

From FW  CLI

 

show log-collector preference-list

Log Collector Preference List
Forward to all: No
Serial Number: 007307001xxx IP Address: 10.7.2.104 IPV6 Address: unknown
Serial Number: 007307001xxx IP Address: 10.7.2.103 IPV6 Address: unknown

 

fw send logs to Primary M200 and if it is down then it will send to another one.

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Deepak25
L3 Networker
In response to MP18

‎06-15-2021 09:54 AM

Thanks for sharing the setting.

We have same setting only log forwarding preference list not configured as we want to forward logs to both local log collector.

I think theoretically , If redundancy is enabled no point of creating log forwarding preference list as logs getting stored in both managed collectors.

Please correct me if I am wrong.

0 Likes Likes

MP18
Cyber Elite
Cyber Elite
In response to Deepak25

‎06-15-2021 10:00 AM

@Deepak25 

 

you need preference list as if one log collector dies then firewall will not send logs to another collector in preference list.

Also you will get system alert emails that fw has lost connection to log collector.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

MP18
Cyber Elite
Cyber Elite
In response to Deepak25

‎06-23-2021 05:00 PM

@Deepak25 

 

Also you can see logs on secondary Panorama by show log traffic command from CLI.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 3953 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks