Panorama Confusion

Thanks for your replys

@S.Cantwell  yes, good point but i do have a log forward profile configured. not sure if it's working but it's there...

@MP18  as below.  I think my issue is with Panorama. do you run a similar setup.  if so.. do you have a local log collector configured on Panorama VM.   the instructions say that after I have added another 2TB and restart panorama it will auto add a local log collector but this is not happening.

I will post this instruction when i find it again.

this is what should happen..

Return to the Panorama CLI and run the following command.

> request system system-mode panorama

also...

this is the output from Panorama disk details.

i would have thought that the 2TB logging disk should be seperate.

admin@Panorama> show system disk details

 Name   : sdb

State  : Present

Size   : 2097152 MB

Status : Available

Reason : Admin enabled

admin@Panorama>

cancel previous on what should happen, i am now doing a new install via this documentation.

https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-vi...

but could someone confirm if i still need to use a local log collector.

ok getting better...  so will need to re visit this on Monday.   thanks all for your help.

Yes you will need local log collector --default ----if you do not have any external log collector like M500

@RobertShawver 

I haven't seen MickBall in a while.

What is going on?  How can we assist?

Are you setting up virtual log collectors within Panorama?

Did you already confirm you have a 2nd HDD with 2TB?

If so.. great.

Next steps

Panorama ==> Virtual Log Collector

Add in the same serial number of your Panorama (or serial number of your physical log collectors)

COMMIT!

Go to Log Collector Group, and ADD in the new virtual/physical log collector.

Confirm you see Drive A the list.

COMMIT!

Go back into your Log Collector Group

Add your devices to log fwd to the new log collector

COMMIT

Then goto COMMIT Push to Devices....  (Edit Devices) and choose Log Collectors, and the COMMIT again!

@S.Cantwell Hey - Thanks for the reply.

So basically I am trying to archive figure one of this document by the end of my project: https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/centralized-logging-...

We have two panos in an active/passive set up. PanoA and PanoB. My company wants to bring in two more Pano's strictly as log servers. So PanoA and PanoALog, PanoB and PanoBLog.  PanoA and PanoB would become strictly management.

I have done everything that you described already and now have two Collector Groups - Default and Remote.

Default has PanoA and PanoB.  Remote has PanoALog and PanoBLog.

All sounds good so far, but here is where I'm starting to either question myself or I'm having an issue.

I am slowly removing the Managed Devices from Default to Remote, however within my Syslog server it still looks like those devices are getting to the Syslog server via the original PanoA and PanoB.  In other words, none of the new loggers, PanoALog and PanoBLog appear to be talking to the syslog server.

I've added them to all the Security Rules that PanoA and PanoB were in.  Additionally, the Log Redistribution State has been at 0% for five days now on the Remote Collector Group - Default says none.

Eventually I'd like to be able to use the monitor tab of PanoA and PanoB, but have all logging done on PanoALog and PanoBLog and have them forwarding to my syslog server.

And I guess I don't really understand the difference between Device Log Forwarding and Collector Log Forwarding.

Thanks in advance for any help.

Hi Robert

This pic here (snipped) is doing DEVICE log forwarding. From my perspective, it is inefficient, because all logs should first go to Panorama (Log Collectors) and then the Log Collector can forward to external services.

This picture below (as you mentioned) is what you wanted to achieve.. (fwd logs TO the Panorama, and let the PANORAMA forward t external services.

Without looking at your setup... I am curious if you have removed, from the Default log collector group, all configurations regarding the log forwarding of notifications.    Also, you need to make sure  (via Device Group) or via locally configured, that your FWs do not have a Syslog profile configured to push to the Syslog servers.  This is what I think is happening.

See, a lot of ppl duplicate their logs... Copy 1 goes to Panorama, and Copy 2 goes to Syslog (from the FW's perspective...) this is that inefficency I mentioned.   So, go to your devices and see if there is a locally configured log forwarding profile and confirm if there is a syslog configured within the profile.  If so.. then this is just a small part of your issue.  Fixing it so that logs DO go to your Remote log collector is what I think your issue is.  Now the challenge.

The logs that are forwarded from device to Default, have acknowledgement packets sent between them.  So, for example... if a FW sent 100 logs to the Default Log Collector group, then the Default would show (and ack) that 1000 were received.  It is just a theory, but what could happen, is that the device and the Remote are out of sync.  You just set up Remote... but from the FWs perspective.. it may be going "hey, I already sent 100 logs in, and the kid on the block (Remote) did not or has not ack'd them...)

Again, just a theory, but there are KB articles about Panorama not getting logs from FWs. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmVlCAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXACA0

Above are but a few I could find quickly.

This may not be a bad suggestion to open a TAC case via the web.

Good luck!

@S.Cantwell 

Thanks for the quick reply.  I think you might be on to something.

On the Panorama Management I have the two CG, Default and Remote.  Both have Device Log Forwarding and Collector Log Forwarding set up.  Are you saying that I should only have the Collector Log Forwarding set up?

Both the Default and Remote CG have (on the Collector Log Forwarding tab) the same syslog info on each of the tabs (system, configuration, HIP Match and so on).

So will I have just one Collector Group at the end of all this or two?

I'm not exactly sure what you mean by "I am curious if you have removed, from the Default log collector group, all configurations regarding the log forwarding of notifications".

On the Panorama Mgt under Objects > Log Forwarding I do have an entry for Log_Forward which has the check box for Panorama/Logging Service checked.

On the local FW's under Device > Server Profiles > Syslog there is no entry.  Under Device > Log Settings there is a template setting for each of the System, Configuration, User-ID and so on set up and they to have the forward method as Panorama checked.

I did talk to Palo support, but he wasn't much help to be honest.