I'm running a PA-200, recently upgraded to PANOS6.0, and noticed I'm not receiving traffic logs to my syslog server. When on 5.x of PANOS I was receiving change configuration, traffic logs, etc to my syslog/firewall analyzer application ManageEngine FirewallAnalyzer, but after upgrading to 6.0, I'm only receiving config messages (restarts, change to configuration, etc). I confirmed my syslog setting in the PAN and they're identical to what they were before the upgrade and the listening port on my syslog server was up, any ideas? I ensured log at session end was the same, the destination IP/port were correct, and the service route was that of my inside interface, is there something different in PANOS 6 that needs to be configured differently?
Thanks for any input...
robg303 - I just upgraded my PA4020 from 5.0.11 to 6.0.1, and I can confirm the syslog issue has been fixed. The log source now comes in to our SIEM as the hostname of the box instead of the IP address, so there was a moment of panic when we thought the issue wasn't fixed in 6.0.1, but I can confirm that the issue does indeed seem to be fixed.
We are getting lots and lots of syslog from our PA4020 (close to 1 million events in the past 30 minutes).
PAN OS 6.0.1 - Addressed Issues
60816- Following an upgrade to PAN-OS 6.0.0, syslog connection status warnings for all defined syslog connections appeared in the system log every hour and were categorized as critical. This was caused by a scheduled hourly rotation of the syslog-ng log file, during which the syslog-ng daemon would restart. This issue has been fixed by adding a condition to the log file rotation process requiring the log file to be 10 MB or more and the connection status warning will only be seen once every few months.
60011-When a User ID Agent Setup template was pushed from Panorama to a managed device, the application content updates were not available for viewing or cloning in the syslog filters list in the web interface (Device > User Identification > User Mapping > User ID Agent Setup > Syslog Filters).
I've upgraded to PANOS 6.01, set the Service Route Configuration for Syslog as Source Interface=Any, and Source Address to be my internal class-c Network. Upon removing the Destination tab information where the destination is my syslog Server IP, source Interface=Any, and Source Interface being the default Gateway IP I'm still only seeing configuration logs items, so it's basically the same issue moving to 6.0.1. If I modify the Destination tab back to what it was previously, i then begin to see Traffic logs again being sent to my firewall analyzer/syslog. If version 6.0.1 correct the issues where I don't have to many put in the destination for my syslog, is there something i'm missing here?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!