Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PANOS 6 Syslog Different?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PANOS 6 Syslog Different?

Not applicable

I'm running a PA-200, recently upgraded to PANOS6.0, and noticed I'm not receiving traffic logs to my syslog server. When on 5.x of PANOS I was receiving change configuration, traffic logs, etc to my syslog/firewall analyzer application ManageEngine FirewallAnalyzer, but after upgrading to 6.0, I'm only receiving config messages (restarts, change to configuration, etc). I confirmed my syslog setting in the PAN and they're identical to what they were before the upgrade and the listening port on my syslog server was up, any ideas? I ensured log at session end was the same, the destination IP/port were correct, and the service route was that of my inside interface, is there something different in PANOS 6 that needs to be configured differently?

Thanks for any input...

15 REPLIES 15

L7 Applicator

New enhancements in 6.0 related to SYSLOG over TCP or SSL.


You can verify the same from CLI:

admin@PA-4020> show counter management-server

Log action not taken            :          1

Logs dropped because not logging:          0

User information from AD read   :          2

Certificates information read   :          0

License information fetched from update server:          0

Log action syslogs sent         :        557 >>>>>>>>>>>>>>>>>>>>>> verify if the counter is incrementing

Sighash refcount                :          1

Tunnelhash refcount             :          1

URLcat refcount                 :          1

ip2loc refcount                 :          1


Related CLI command to ensure that the PAN is generating traffic logs:

> debug log-receiver statistics

> show logging-status

Thanks

Hulk.. thanks for your input! I've performed the above commands and see NO syslogs sent. Issuing the debug command the traffic log count is incrementing, but showing the logging status, its reporting the below. I can't figure out what configuration change i need to make to send the logs correctly as it worked fine in 5.x can you assist? (for what it's worth, i have my syslog in the PAN configured for UDP)

xxxxx@pa-200> show counter management-server

Log action not taken            :          0

Logs dropped because not logging:          0

User information from AD read   :          2

Certificates information read   :          0

License information fetched from update server:          0

Log action syslogs sent         :          0

Sighash refcount                :          6

Tunnelhash refcount             :          7

URLcat refcount                 :          7

ip2loc refcount                 :          2

External Forwarding stats:

      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send

Rate(last 1min)

    syslog         267428         267428              0              0

              0

    

xxxxxx@pa-200> debug log-receiver statistics

Logging statistics

------------------------------ -----------

Log incoming rate:             0/sec

Log written rate:              0/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          267406

URL logs written:              3

Wildfire logs written:         0

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    0

Fileext logs written:          27

URL cache age out count:       0

URL cache full count:          0

URL cache key exist count:     0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward count:             0

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

Summary Statistics:

Num current drop entries in trsum:0

Num cumulative drop entries in trsum:0

Num current drop entries in thsum:0

Num cumulative drop entries in thsum:0

External Forwarding stats:

      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send

Rate(last 1min)

    syslog         267436         267436              0              0

              0

      snmp              0              0              0              0

              0

     email              0              0              0              0

              0

       raw              0              0              0              0

              0

xxxxxx@pa-200> debug log-receiver statistics

Logging statistics

------------------------------ -----------

Log incoming rate:             1/sec

Log written rate:              1/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          267410

URL logs written:              3

Wildfire logs written:         0

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    0

Fileext logs written:          27

URL cache age out count:       0

URL cache full count:          0

URL cache key exist count:     0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward count:             0

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

Summary Statistics:

Num current drop entries in trsum:0

Num cumulative drop entries in trsum:0

Num current drop entries in thsum:0

Num cumulative drop entries in thsum:0

show logging-status

--------------------------------------------------------------------------------

---------------------------------------------

      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded

Last Seq Num Acked         Total Logs Fwded

--------------------------------------------------------------------------------

---------------------------------------------

> CMS 0

        Not Sending to CMS 0

> CMS 1

        Not Sending to CMS 1

>Log Collector

        Not Sending to Log Collector

Might sound lame, but what about log forwarding profile?

Is it still the same?

Yeah... sure is. That's what i can't figure out, seems odd and is driving me crazy... I haven't changed anything from the previous version, but also noticed I can only ping my internal DNS and default gateway server when I SSH'd to the management console all of which are on the same class-c subnet, as are my other servers and workstations.My syslog forwarding profile is to my internal log analyzer on standard port udp 514 and my service route is configured for 'source interface any' and source address as 192.168.0.1/24

L4 Transporter

I just upgraded a PA4020 to 6.0 and I'm seeing similar behavior. The last event time we received on our SIEM platform from the 4020 was 5 minutes before the upgrade, yesterday.

Yet another PA QA fail.

Ouch...I feel like we should create a community checklist for their QA department.  Things they need to make sure are working before they release an update.

Not applicable

I've opened a case with Palo Alto and have sent tech support files, but as a only have standard support I'm sure it'll take some time to address. I'm glad (in an odd way) that i'm not the only one seeing this problem as I've reconfigured syslog settings on the PAN, syslog server, ports, and firewall configs all with the same results.

we got problems with syslog after upgrading to 6.0

We fixed that using service route for Syslog Destination Tab.Except using this we had problems.Although there was a source interface choosen for syslog, we also used Destination Tab.With that it worked.

I opened a case,I think there is a bug here.

Thanks for the input on the destination tab, I'm now receiving syslogs! Hopefully this will get addressed soon.

I've been burned by this and I already rolled back to 5.0.11 on my PA4020. I'll be waiting for a few revs of 6.0 to be out before I take another swing at that piñata.

L4 Transporter

robg303 - I just upgraded my PA4020 from 5.0.11 to 6.0.1, and I can confirm the syslog issue has been fixed. The log source now comes in to our SIEM as the hostname of the box instead of the IP address, so there was a moment of panic when we thought the issue wasn't fixed in 6.0.1, but I can confirm that the issue does indeed seem to be fixed.

We are getting lots and lots of syslog from our PA4020 (close to 1 million events in the past 30 minutes).

FYI.

PAN OS 6.0.1 - Addressed Issues

60816- Following an upgrade to PAN-OS 6.0.0, syslog connection status warnings for all defined syslog connections appeared in the system log every hour and were categorized as critical. This was caused by a scheduled hourly rotation of the syslog-ng log file, during which the syslog-ng daemon would restart. This issue has been fixed by adding a condition to the log file rotation process requiring the log file to be 10 MB or more and the connection status warning will only be seen once every few months.

60011-When a User ID Agent Setup template was pushed from Panorama to a managed device, the application content updates were not available for viewing or cloning in the syslog filters list in the web interface (Device > User Identification > User Mapping > User ID Agent Setup > Syslog Filters).


Thanks

Not applicable

I've upgraded to PANOS 6.01, set the Service Route Configuration for Syslog as Source Interface=Any, and Source Address to be my internal class-c Network. Upon removing the Destination tab information where the destination is my syslog Server IP, source Interface=Any, and Source Interface being the default Gateway IP I'm still only seeing configuration logs items, so it's basically the same issue moving to 6.0.1. If I modify the Destination tab back to what it was previously, i then begin to see Traffic logs again being sent to my firewall analyzer/syslog. If version 6.0.1 correct the issues where I don't have to many put in the destination for my syslog, is there something i'm missing here?

This is a bug that is currently being worked on. This only affects configurations where the syslog server must be reached through a dataplane interface. The workaround at this time is as you noted, creating a specific destination service route to your syslog server.

  • 6555 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!