Log forwarding issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log forwarding issue

L1 Bithead

Hi team,

 

i have deployed palo alto firewall on AWS environment and ran into some issues when trying to send the logs over to a syslog server.

when i use a syslog server that is not in the same subnet as the management interface and tried to manually set the right 1.interface in the service route configuration it didnt let me choose any of mu interfaces.

 2. after i changed the syslog server to be in the same subnet as the management interface and in the service route configuration changed it back to use management interface the logs did not arrive to the syslog server..

 

debug log-reciever statistics output: 

Logging statistics

------------------------------ -----------

Log incoming rate:             0/sec

Log written rate:              0/sec

Corrupted packets:             0

Corrupted URL packets:         0

Corrupted HTTP HDR packets:    0

Corrupted HTTP HDR Insert packets: 0

Corrupted EMAIL HDR packets:   0

Logs discarded (queue full):   0

Traffic logs written:          1016

GTP logs written:              0

Tunnel logs written:           0

Auth logs written:             0

Userid logs written:           0

SCTP logs written:             0

URL logs written:              0

Wildfire logs written:         0

Anti-virus logs written:       0

Widfire Anti-virus logs written: 0

Spyware logs written:          0

Spyware-DNS logs written:      0

Attack logs written:           0

Vulnerability logs written:    0

Fileext logs written:          0

Fileext logs URL not written:  0

Fileext logs URL not written (timedout): 0

URL cache age out count:       0

URL cache full count:          0

URL cache key exist count:     0

URL cache wrt incomplete http hdrs count: 0

URL cache rcv http hdr before url count: 0

URL cache full drop count(url log not received): 0

URL cache age out drop count(url log not received): 0

Email hdr cache count:         0

Email hdr cache hit count:     0

HTTP hdr insertion received:   0

HTTP hdr insertion processed:  0

HTTP hdr insert no URL drop count: 0

HTTP hdr insert with invalid URL log: 0

HTTP hdr insert with values exceeded max allowed length: 0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Netflow incoming count:        0

Log Forward count:             1

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

Total logs not written due to disk unavailability: 0

Logs not written since disk became unavailable: 0

DPI logs received:             0

HIP Report logs received:      0

 

Summary Statistics:

Num current entries in trsum:0

Num cumulative entries in trsum:12

Num current entries in thsum:0

Num cumulative entries in thsum:0

Num current entries in urlsum:0

Num cumulative entries in urlsum:0

Num current entries in gtpsum:0

Num cumulative entries in gtpsum:0

Num current entries in sctpsum:0

Num cumulative entries in sctpsum:0

Num current drop entries in trsum:0

Num cumulative drop entries in trsum:0

Num current drop entries in thsum:0

Num cumulative drop entries in thsum:0

Num current drop entries in urlsum:0

Num cumulative drop entries in urlsum:0

Num current drop entries in gtpsum:0

Num cumulative drop entries in gtpsum:0

Num current drop entries in sctpsum:0

Num cumulative drop entries in sctpsum:0

 

External Forwarding stats:

      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send Rate(last 1min)

    syslog              7              7              0              0                        0

      snmp              0              0              0              0                        0

     email              0              0              0              0                        0

       raw              0              0              0              0                        0

      http              0              0              0              0                        0

   autotag              0              0              0              0                        0

      amqp              0              0              0              0                        0

 

 

show logging-status output:

-----------------------------------------------------------------------------------------------------------------------------

      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded

-----------------------------------------------------------------------------------------------------------------------------

> CMS 0

        Not Sending to CMS 0

> CMS 1

        Not Sending to CMS 1

 

>Log Collector

        Not Sending to Log Collector

 

 

Best Regards,

Alex





1 accepted solution

Accepted Solutions

Hello,

Are they not in the monitor tab->traffic? Is there traffic hitting the policies? Sounds like a setting got missed. I would follow the steps again just to double check and make sure. If everything looks correct, then I would create the TAC case.

Regards,

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Check and see if the logs are getting sent out of the management interface:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

 

Also make sure in the AWS security policies you are allowing the traffic.

 

Regards,

Hi @OtakarKlier ,

 

i fixed the issue with changing the format of the logs apparently when shipping logs over tcp you have to use IETF format and not BSD.

but now i ran into new issues first of all the only logs that i receive is that the syslog connection was established and second of all i do not get any authentication logs regarding the web ui or CLI.

Alex.

Hello,

Those are enabled in the Device->Log Settings area. If everything is setup correctly and you're still not getting logs, I would open a TAC case.

 

Regards,

hi i can see the access logs now but still can not see the traffic ones ?

any ideas or should i open a TAC case?

Hello,

Are they not in the monitor tab->traffic? Is there traffic hitting the policies? Sounds like a setting got missed. I would follow the steps again just to double check and make sure. If everything looks correct, then I would create the TAC case.

Regards,

@OtakarKlier ,

 

there is no traffic in the monitor tab under traffic and the weird issue is that i had traffic there before i configured the syslog server.

in any case i did open a case to the support hopefully they could resolve my issue.

 

Alex.

  • 1 accepted solution
  • 7811 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!