06-21-2021 05:59 AM
We want to disable redundancy in existing collector group configuration due to less available space for logging one year logs.
In our setup we have M200 in HA and configured local log collector in both Panorama. Configured collector group and added both local log collector in same collector group. Enabled redundancy to store copy of same logs in both collector. Now both collectors utilized upto 60% and showing last 4 month oldest logs. In order to save the logs for one year current redundancy setup is not useful , hence we can to disable redundancy option in same collector group.
Is there any issue or loss of logs if we unchecked redundancy option in collector group.
Also want to know if there is any loss of logs after configuring log forwarding preference list in same collector group( we have Panorama HA pair and geographically at different location , hence want to configure log forwarding preference list in same collector group to send logs to nearest collector and if it failed firewalls will send logs to secondary collector)
06-22-2021 07:48 AM
Based on my reading, there should not be any loss of logs, if you disable the redundancy.
I believe that you would need to configure in your template/device group as to which LC you are forwarding logs to. I am reading your comment about what is geographically closer LC and I am not sure how that would work. You configure which LC your devices would talk to.
As for 60% used in last 4 months, did PANW or your reseller size how much storage you would need? I am not pointing fingers; I am just suggesting that somehow this information/data could have been perhaps discovered prior. Have you considered adjusting which rules actually require logging (for example... DNS, LDAP, RDP, SSL, Web-Browsing, ms-smb, netbios, could be apps that not logged, based on amount of connections and log traffic. One day of DNS could easily provide 10K is log entries. Just some other points to ponder.
06-23-2021 03:49 PM
Answer is there will no loss of logs if you disable the log redundancy.
IF you have firewall with preference list 1 and 2 and if 1st Panorama goes down then firewall will send logs to second
panorama.
So in this scenario both Panoramas will not share the logs.
Regards
06-22-2021 07:48 AM
Based on my reading, there should not be any loss of logs, if you disable the redundancy.
I believe that you would need to configure in your template/device group as to which LC you are forwarding logs to. I am reading your comment about what is geographically closer LC and I am not sure how that would work. You configure which LC your devices would talk to.
As for 60% used in last 4 months, did PANW or your reseller size how much storage you would need? I am not pointing fingers; I am just suggesting that somehow this information/data could have been perhaps discovered prior. Have you considered adjusting which rules actually require logging (for example... DNS, LDAP, RDP, SSL, Web-Browsing, ms-smb, netbios, could be apps that not logged, based on amount of connections and log traffic. One day of DNS could easily provide 10K is log entries. Just some other points to ponder.
06-23-2021 03:49 PM
Answer is there will no loss of logs if you disable the log redundancy.
IF you have firewall with preference list 1 and 2 and if 1st Panorama goes down then firewall will send logs to second
panorama.
So in this scenario both Panoramas will not share the logs.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
