Loss of connectivity when trasfering log to syslog server

Reply
Highlighted
L2 Linker

Loss of connectivity when trasfering log to syslog server

Hello Everybody!

Our PAN firewallls send their log to a central syslog server; in case there is a gap in the connectivity (e.g. satellite link down) what happens to the corresponding log entries?

Shall the remote firewall store them till the connection is available again and then send them to the central server?

Thanks and Regards

Tags (1)
Highlighted
L1 Bithead

Re: Loss of connectivity when trasfering log to syslog server

At this time PANOS only appears to support Syslog over UDP, so your messages are lost if there is not a path to your syslog server.

Highlighted
L2 Linker

Re: Loss of connectivity when trasfering log to syslog server

Thanks, Shaun, indeed that was our guess...

Highlighted
L5 Sessionator

Re: Loss of connectivity when trasfering log to syslog server

The device ( firewall related ) logs will still be stored under the system logs locally on the firewall. But if you are sending all the traffic, threat, URL and the data filtering logs to a syslog server and in case there is a connectivity issue to the syslog server , you can still leverage the "scheduled log export" feature, as mentioned under the following document: https://live.paloaltonetworks.com/docs/DOC-3824#comment-3469,

by exporting the logs onto an FTP server.

The other method would be to backup the logs to Panorama, if the PANFW is being managed by it.

BR,

Karthik RP

Highlighted
L6 Presenter

Re: Loss of connectivity when trasfering log to syslog server

As I understand it Panorama is supposed to use a "delivery guaranteed" method of transfering logs between the firewall and the Panorama (and if it fails it should be logged which block of logs is missing).

That is in order to get the logs reliably from your firewall to your syslog-server something like this should work:

PA-firewall -> unreliable link (satellite link or whatever) -> Panorama -> reliable link (like in the same or nearby rack) -> Syslog-server

Highlighted
L4 Transporter

Re: Loss of connectivity when trasfering log to syslog server

@mikand Correct, Panorama uses an internal acknowledgment mechanism over a TCP/SSL channel for log forwarding.

Panorama does not currently support forwarding any logs which it did not internally generate. Thus, logs from devices cannot be sent from Panorama to a syslog server.

Highlighted
L6 Presenter

Re: Loss of connectivity when trasfering log to syslog server

Any ETA on when logs that has been forwarded to Panorama can then from Panorama be forwarded further to a syslog-server or such?

Highlighted
L4 Transporter

Re: Loss of connectivity when trasfering log to syslog server

Please speak with your SE about setting up a call PM.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!