disable redundancy in collector group

cancel
Showing results for 
Search instead for 
Did you mean: 

disable redundancy in collector group

L3 Networker

We want to disable redundancy in existing collector group configuration due to less available space for logging one year logs.

 

In our setup we have M200 in HA  and configured local log collector in both Panorama. Configured collector group and added both local log collector in same collector group. Enabled redundancy to store copy of same logs in both collector. Now both collectors utilized upto 60% and showing last 4 month oldest logs. In order to save the logs for one year current redundancy setup is not useful , hence we can to disable redundancy option in same collector group.

 

Is there any issue or loss of logs if we unchecked redundancy option in collector group.

Also want to know if there is any loss of logs after configuring log forwarding preference list in same collector group( we have Panorama HA pair and geographically at different location , hence want to configure log forwarding preference list in same collector group to send logs to nearest collector and if it failed firewalls will send logs to secondary collector)

2 ACCEPTED SOLUTIONS

Accepted Solutions

Cyber Elite
Cyber Elite

Based on my reading, there should not be any loss of logs, if you disable the redundancy. 

I believe that you would need to configure in your template/device group as to which LC you are forwarding logs to.  I am reading your comment about what is geographically closer LC and I am not sure how that would work.  You configure which LC your devices would talk to.

 

As for 60% used in last 4 months, did PANW or your reseller size how much storage you would need?  I am not pointing fingers; I am just suggesting that somehow this information/data could have been perhaps discovered prior.  Have you considered adjusting which rules actually require logging (for example... DNS, LDAP, RDP, SSL, Web-Browsing, ms-smb, netbios, could be apps that not logged, based on amount of connections and log traffic.  One day of DNS could easily provide 10K is log entries.    Just some other points to ponder. 

Help the community: Like helpful comments and mark solutions

View solution in original post

Cyber Elite
Cyber Elite

@Deepak25 

Answer is there will no loss of logs if you disable the log redundancy.

IF you have firewall with preference list 1 and 2 and if 1st Panorama goes down then firewall will send logs to second

panorama.

So in this scenario both Panoramas will not share the logs.

 

Regards

 

MP

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Based on my reading, there should not be any loss of logs, if you disable the redundancy. 

I believe that you would need to configure in your template/device group as to which LC you are forwarding logs to.  I am reading your comment about what is geographically closer LC and I am not sure how that would work.  You configure which LC your devices would talk to.

 

As for 60% used in last 4 months, did PANW or your reseller size how much storage you would need?  I am not pointing fingers; I am just suggesting that somehow this information/data could have been perhaps discovered prior.  Have you considered adjusting which rules actually require logging (for example... DNS, LDAP, RDP, SSL, Web-Browsing, ms-smb, netbios, could be apps that not logged, based on amount of connections and log traffic.  One day of DNS could easily provide 10K is log entries.    Just some other points to ponder. 

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

@Deepak25 

Answer is there will no loss of logs if you disable the log redundancy.

IF you have firewall with preference list 1 and 2 and if 1st Panorama goes down then firewall will send logs to second

panorama.

So in this scenario both Panoramas will not share the logs.

 

Regards

 

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!