Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Log Collector not receiving logs.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Log Collector not receiving logs.

L2 Linker

Hi All,

 

We have deployed 2xM200 Log collectors for log collection. They are registered on the panorama and show in-sync. I have done the collector-group settings. Now when I go to Panorama > Managed collector > the log collectors show disconnected status (screenshot attached). With the message "Log collector <serial number> failed to connect to <serial number> Inter-LC"

 

The 2 log collectors are to be deployed in redundancy.

VarunRao_1-1595814847860.png

 

 

VarunRao_0-1595814717239.png

Below is the output of "show logging-status" on the firewalls.

-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------

Log Collector : xxxxxxxxxxxxxxx
Conn ID : lr-172.16.100.100
Connection IP : lr-172.16.100.100
Conn Source IP : lr-172.16.100.100- - def
High speed mode : Disabled
Connection Status : lr-172.16.100.100- - Inactive
DNS :
msg : Successfully resolved FQDN for connid (lr-172.16.100.100-def), IP (172.16.100.100)
status : success
timestamp : 2020/07/24 10:49:30

Registration :
msg : Timeout:4310 triggered for lc_conn_id:lr-172.16.100.100-def
status : failure
timestamp : 2020/07/27 10:42:35

SSL :
msg : ssl channel established
status : success
timestamp : 2020/07/24 10:49:32

TCP :
msg : tcp connection established
status : success
timestamp : 2020/07/24 10:49:30

Conn Uptime : 0
Re-conn Count : 0

Rate : 0 logs/sec

traffic Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0

 

Connection status shows "inactive"

 

How can I make the firewalls send logs to log collectors and the status to be active.

 



Thanks & Regards,
Varun Rao
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@VarunRao 

 

Are you using same Log collector IP for Management and receiving logs from PA?

Make sure in Panorama , Collector Groups then click on device log forwarding.

Make sure your firewall is added there.

 

Then in Log collector CLI  Run this command 

show logging-status device  serial number of FW

Also make sure From FW management Interface you can ping the log collector ip

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

View solution in original post

9 REPLIES 9

L2 Linker

you'll first need to get the log collectors to sync up and connected to your panorama before you start looking at your firewall

 

connect to the individual log collectors and look for error messages there. once they connect to panorama and each other successfully, the firewall will start sending logs

Cyber Elite
Cyber Elite

@VarunRao 

 

Are you using same Log collector IP for Management and receiving logs from PA?

Make sure in Panorama , Collector Groups then click on device log forwarding.

Make sure your firewall is added there.

 

Then in Log collector CLI  Run this command 

show logging-status device  serial number of FW

Also make sure From FW management Interface you can ping the log collector ip

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

Hi,

 

the log collectors show in-sync on the panorama.

 

How do I ensure they are connected to each other? Is there a config to ensure the 2 are talking to each other?



Thanks & Regards,
Varun Rao

Are you using same Log collector IP for Management and receiving logs from PA? Yes using same interface for management and receiving logs.

Make sure in Panorama , Collector Groups then click on device log forwarding. Yes it is configured.

Make sure your firewall is added there. Yes

 

Then in Log collector CLI  Run this command 

show logging-status device  serial number of FW

admin@logcollector01> show logging-status device 0xxx11584xx

 

 

 

 

 

Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated

Also make sure From FW management Interface you can ping the log collector ip

able to ping



Thanks & Regards,
Varun Rao

Use below command to check if logrcvr is running or not?

show system software status | match logrcvr

 

if not running it will need restart

 > debug software restart process log-receiver

 

show netstat 

and look for IP of Log collector.

 

Also when you run command

 

show logging-status

 

make sure hostname of log collector gets resolved.

 

My setup which is working 

 

Connection Status : ms-10.7.12.104- - Active
DNS :
msg : Successfully resolved FQDN for connid (ms-10.7.12.104-def), IP (10.7.12.104)
status : success
timestamp : 2020/01/09 13:42:57

 

IS there any firewall between PA and log collector?

MP

Help the community: Like helpful comments and mark solutions.

The logrcvr process seems to be running fine, although for show logging-status, DNS resolution is fine but for Registration I am seeing a failure:

 

Registration :
msg : Timeout:4310 triggered for lc_conn_id:lr-172.16.100.100-def
status : failure
timestamp : 2020/08/06 10:42:35

 What is this registration for ?

 



Thanks & Regards,
Varun Rao

@VarunRao 

 

Make sure your log collectors are registered and they have valid licenses.

You need to add the Firewall in Panorama under Collector Groups and device Log Forwarding 

Also make sure Your Log collector is in right mode for logging only no gui access then they need to be in logging mode.

 

Make sure you have done this as explained in below url 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmVlCAK

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

The issue was resolved by opening a case with TAC.

 

I was missing the check box for sending logs to Panoram/logcollector on the log forwarding profile:

Object > Log forwarding profile > select your profile > check the box option for Panorama/log collector

 

This would send the traffic from the firewall to the dedicated log collector.



Thanks & Regards,
Varun Rao

@VarunRao 

Thanks for updating us regarding the solution.

It will help someone in community in near future.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 22589 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!