PANOS 6 Syslog Different?

Showing results for 
Search instead for 
Did you mean: 

PANOS 6 Syslog Different?

Not applicable

I'm running a PA-200, recently upgraded to PANOS6.0, and noticed I'm not receiving traffic logs to my syslog server. When on 5.x of PANOS I was receiving change configuration, traffic logs, etc to my syslog/firewall analyzer application ManageEngine FirewallAnalyzer, but after upgrading to 6.0, I'm only receiving config messages (restarts, change to configuration, etc). I confirmed my syslog setting in the PAN and they're identical to what they were before the upgrade and the listening port on my syslog server was up, any ideas? I ensured log at session end was the same, the destination IP/port were correct, and the service route was that of my inside interface, is there something different in PANOS 6 that needs to be configured differently?

Thanks for any input...


I've been burned by this and I already rolled back to 5.0.11 on my PA4020. I'll be waiting for a few revs of 6.0 to be out before I take another swing at that piñata.

L4 Transporter

robg303 - I just upgraded my PA4020 from 5.0.11 to 6.0.1, and I can confirm the syslog issue has been fixed. The log source now comes in to our SIEM as the hostname of the box instead of the IP address, so there was a moment of panic when we thought the issue wasn't fixed in 6.0.1, but I can confirm that the issue does indeed seem to be fixed.

We are getting lots and lots of syslog from our PA4020 (close to 1 million events in the past 30 minutes).


PAN OS 6.0.1 - Addressed Issues

60816- Following an upgrade to PAN-OS 6.0.0, syslog connection status warnings for all defined syslog connections appeared in the system log every hour and were categorized as critical. This was caused by a scheduled hourly rotation of the syslog-ng log file, during which the syslog-ng daemon would restart. This issue has been fixed by adding a condition to the log file rotation process requiring the log file to be 10 MB or more and the connection status warning will only be seen once every few months.

60011-When a User ID Agent Setup template was pushed from Panorama to a managed device, the application content updates were not available for viewing or cloning in the syslog filters list in the web interface (Device > User Identification > User Mapping > User ID Agent Setup > Syslog Filters).


Not applicable

I've upgraded to PANOS 6.01, set the Service Route Configuration for Syslog as Source Interface=Any, and Source Address to be my internal class-c Network. Upon removing the Destination tab information where the destination is my syslog Server IP, source Interface=Any, and Source Interface being the default Gateway IP I'm still only seeing configuration logs items, so it's basically the same issue moving to 6.0.1. If I modify the Destination tab back to what it was previously, i then begin to see Traffic logs again being sent to my firewall analyzer/syslog. If version 6.0.1 correct the issues where I don't have to many put in the destination for my syslog, is there something i'm missing here?

This is a bug that is currently being worked on. This only affects configurations where the syslog server must be reached through a dataplane interface. The workaround at this time is as you noted, creating a specific destination service route to your syslog server.

Thanks for the confirmation, I was wondering what I was missing after upgrading to 6.01 thinking that was the fix Smiley Happy

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!