MGMNT Slow and Serching logs slow and Syslog server issue.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

MGMNT Slow and Serching logs slow and Syslog server issue.

Device Model: PA-5220 HA Mode Active-standby

PAN-OS 10.0.0

The questions below as I couldn't find anything on Palo Alto website.

 

Recently we have upgraded Palo Alto to v10.0.0.

 

1. Web management interface became very slow and searching logs takes very long time to load.

Kindly advise if there’s any solution for that. Can we disable services of some added unused features, like SDWAN or IoT? Or is there any work-around to make it faster?

 

2. Integration with ArcSight Syslog server is not working well as logs are not parsed correctly.

Seems the raw data format sent from Palo Alto changed in this version. Kindly advise how to fix this.

Can we change the format to be similar to 9.0.x or 9.1.x format?

Highlighted
Cyber Elite

@Mohammed_Yasin,

Is this on production equipment, because I really wouldn't be running PAN-OS 10.0 in a production environment. How long ago did you upgrade to 10.0, the background process can take a bit to settle down and things get stable again.

 

As for the second question, there was additional information put into the syslog messages that could be interfering with how you are extracting the data. You'll really need to look at how you have built the extractors and fields you are using to fix that one. 

Highlighted
L3 Networker

Thank you for the comment.

 

Yes Its production, the firewall was upgraded 5 days ago.

its only very slow in wildfire logs appearing in the monitor section rest of the logs are performing usually average.

 

I have checked the following links for the CEF for Arcsight. but doesn't help me with PAN 10.

 

https://docs.paloaltonetworks.com/resources/cef.html

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...

https://community.microfocus.com/t5/ArcSight-User-Discussions/Palo-Alto-Global-Protect-logs-CEF-form...

https://community.microfocus.com/t5/ArcSight-User-Discussions/bd-p/arcsight-discussions

Highlighted
Cyber Elite

@Mohammed_Yasin,

I would open a TAC ticket and see if they can see what's going on. PAN-OS 10.0 is a brand-new release, so you'll likely run into things like this until it has more time to bake in the wild and bugs get worked through. I absolutely wouldn't be running 10.0 in a production environment unless you need a feature that has been added into PAN-OS 10.0. 

As for the guides you referenced, none of them have been updated for 10.0 yet from a quick glance. Since you have additional fields you may very well have to manually build extractors that function correctly with the new fields for PAN-OS 10.0. This is one of the downsides of upgrading to a new release early. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!