Log Collector not receiving logs.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Log Collector not receiving logs.

Hi All,

 

We have deployed 2xM200 Log collectors for log collection. They are registered on the panorama and show in-sync. I have done the collector-group settings. Now when I go to Panorama > Managed collector > the log collectors show disconnected status (screenshot attached). With the message "Log collector <serial number> failed to connect to <serial number> Inter-LC"

 

The 2 log collectors are to be deployed in redundancy.

VarunRao_1-1595814847860.png

 

 

VarunRao_0-1595814717239.png

Below is the output of "show logging-status" on the firewalls.

-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------

Log Collector : xxxxxxxxxxxxxxx
Conn ID : lr-172.16.100.100
Connection IP : lr-172.16.100.100
Conn Source IP : lr-172.16.100.100- - def
High speed mode : Disabled
Connection Status : lr-172.16.100.100- - Inactive
DNS :
msg : Successfully resolved FQDN for connid (lr-172.16.100.100-def), IP (172.16.100.100)
status : success
timestamp : 2020/07/24 10:49:30

Registration :
msg : Timeout:4310 triggered for lc_conn_id:lr-172.16.100.100-def
status : failure
timestamp : 2020/07/27 10:42:35

SSL :
msg : ssl channel established
status : success
timestamp : 2020/07/24 10:49:32

TCP :
msg : tcp connection established
status : success
timestamp : 2020/07/24 10:49:30

Conn Uptime : 0
Re-conn Count : 0

Rate : 0 logs/sec

traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0

 

Connection status shows "inactive"

 

How can I make the firewalls send logs to log collectors and the status to be active.

 



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT






Accepted Solutions
Highlighted
Cyber Elite

@VarunRao 

 

Are you using same Log collector IP for Management and receiving logs from PA?

Make sure in Panorama , Collector Groups then click on device log forwarding.

Make sure your firewall is added there.

 

Then in Log collector CLI  Run this command 

show logging-status device  serial number of FW

Also make sure From FW management Interface you can ping the log collector ip

 

Regards

 

MP

View solution in original post


All Replies
Highlighted
L1 Bithead

you'll first need to get the log collectors to sync up and connected to your panorama before you start looking at your firewall

 

connect to the individual log collectors and look for error messages there. once they connect to panorama and each other successfully, the firewall will start sending logs

Highlighted
Cyber Elite

@VarunRao 

 

Are you using same Log collector IP for Management and receiving logs from PA?

Make sure in Panorama , Collector Groups then click on device log forwarding.

Make sure your firewall is added there.

 

Then in Log collector CLI  Run this command 

show logging-status device  serial number of FW

Also make sure From FW management Interface you can ping the log collector ip

 

Regards

 

MP

View solution in original post

Highlighted
L2 Linker

Hi,

 

the log collectors show in-sync on the panorama.

 

How do I ensure they are connected to each other? Is there a config to ensure the 2 are talking to each other?



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT





Highlighted
L2 Linker

Are you using same Log collector IP for Management and receiving logs from PA? Yes using same interface for management and receiving logs.

Make sure in Panorama , Collector Groups then click on device log forwarding. Yes it is configured.

Make sure your firewall is added there. Yes

 

Then in Log collector CLI  Run this command 

show logging-status device  serial number of FW

admin@logcollector01> show logging-status device 0xxx11584xx

 

 

 

 

 

Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated

Also make sure From FW management Interface you can ping the log collector ip

able to ping



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT





Highlighted
Cyber Elite

Use below command to check if logrcvr is running or not?

show system software status | match logrcvr

 

if not running it will need restart

 > debug software restart process log-receiver

 

show netstat 

and look for IP of Log collector.

 

Also when you run command

 

show logging-status

 

make sure hostname of log collector gets resolved.

 

My setup which is working 

 

Connection Status : ms-10.7.12.104- - Active
DNS :
msg : Successfully resolved FQDN for connid (ms-10.7.12.104-def), IP (10.7.12.104)
status : success
timestamp : 2020/01/09 13:42:57

 

IS there any firewall between PA and log collector?

MP
Highlighted
L2 Linker

The logrcvr process seems to be running fine, although for show logging-status, DNS resolution is fine but for Registration I am seeing a failure:

 

Registration :
msg : Timeout:4310 triggered for lc_conn_id:lr-172.16.100.100-def
status : failure
timestamp : 2020/08/06 10:42:35

 What is this registration for ?

 



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT





Cyber Elite

@VarunRao 

 

Make sure your log collectors are registered and they have valid licenses.

You need to add the Firewall in Panorama under Collector Groups and device Log Forwarding 

Also make sure Your Log collector is in right mode for logging only no gui access then they need to be in logging mode.

 

Make sure you have done this as explained in below url 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmVlCAK

 

Regards

MP
Highlighted
L2 Linker

The issue was resolved by opening a case with TAC.

 

I was missing the check box for sending logs to Panoram/logcollector on the log forwarding profile:

Object > Log forwarding profile > select your profile > check the box option for Panorama/log collector

 

This would send the traffic from the firewall to the dedicated log collector.



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT





Tags (1)
Highlighted
Cyber Elite

@VarunRao 

Thanks for updating us regarding the solution.

It will help someone in community in near future.

 

Regards

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!