Log Forwarding to Panorama Not Working

cancel
Showing results for 
Search instead for 
Did you mean: 

Log Forwarding to Panorama Not Working

L1 Bithead

So apparently I must be missing something.  I configured Log Forwarding to send it to my Panorama instance, so that when I click on Monitor I can click and view the logs but apparently none of my logs are showing up in Panorama.  They show up find on the firewalls but not in Panorama.  

 

I have made sure that all my Log Forwarding profiles have it checked to send to Panorama.  The device setup shows it's connected to the correct IP address for the Panorama.  I thought that was the two main steps you had to be (besides commiting) but I went ahead and even tried to add it to the Zones for the log setting.  I also made sure it was set up in the Policies > Security as well for the events that are getting tripped.  I am still not seeing any logs in Panorama.

 

Is there something else I should try or am I missing something?

10 REPLIES 10

L4 Transporter

For policies, make sure they have a Log Forwarding profile that specifies that sort of traffic be forwarded to panorama

System, Config, HIP, and Correlation logs should be set to forward to panorama under Device -> Log Settings

 

I have seen instances where the logs do not display in Panorama even though they are forwarded, in this case restarting the configd and management-server processes on panorama fixed it.

Thanks for the reply! I think I am seeing everything under ACC but not under the Monitor tab.  I made those changes you suggested.  I guess I will wait or restart the services.  Those have to be done through CLI, correct?

Yes, the service restarts would be done via CLI, but if you did not have the forwarding profiles with "Panorama" checked for traffic that would explain why they were not being forwarded.

 

I assume this was already the case, but policies must be set to log on session start or end in addition to having a forwarding profile.  Without that they will, of course, log neither locally or to panorama.

 

Before restarting the services, there are additional troubleshooting steps you can take, again from the CLI

 

On the firewall you can verify log forwarding is configured and active:

>show log-collector preference-list

 

You should see your panorama appliance serial and IP in the configured list

 

and

> show logging-status

 

The output should show a message stating that the log forwarding agent is active

 

 

In panorama, you can verify it is recieving the logs

> show logging-status device <firewall serial number>

 

If it does not indicate current logs, you can have panorama instruct the firewall to restart log forwarding from teh lack acknowledged message:

> request log-fwd-ctrl device <firewall serial number> action start-from-lastack

 

 

That generally "fixes" issues where logs are not beign sent at all.

 

Here are a few articles on the subject in the KB

https://live.paloaltonetworks.com/t5/Configuration-Articles/Palo-Alto-Networks-Firewall-not-Forwardi...

If you mentioned version numbers I missed it.. this is 8.0 but the process is the same in 7.1

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-log-collection...

So I definitely don't think somethings right.  I get the following when I run the command.

 

Log collector Preference List does not exist

I have log collectors, so do not know if that is expected when forwarding directly to Panorama.  I can check that out in my lab tonight.

 

Did you check the logging-status on teh device and in panorama?  if not, check them anyway, they may give more information.

So all the Log Forwarding was set to send it to a Splunk instance, which they say is working, but the log forwarding doesn't seem to send to Panorama.  I verfied all the checkboxes were set properly but I am at a loss.  

Alright so this is from one of my firewalls that I have verified that everything is checked.  I even checked a working instance as well and they all seem to match up well.

 

The one is the firewall and the other the panorama.

 

pa2.PNG

 

pa1.PNG

Any suggestions? :D

L1 Bithead

I am facing the same issue. No output when running "show logging-status" and show log-collector preference list". log forwarding is configured to forward logs to Panorama. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!