03-04-2014 02:26 PM
I'm running a PA-200, recently upgraded to PANOS6.0, and noticed I'm not receiving traffic logs to my syslog server. When on 5.x of PANOS I was receiving change configuration, traffic logs, etc to my syslog/firewall analyzer application ManageEngine FirewallAnalyzer, but after upgrading to 6.0, I'm only receiving config messages (restarts, change to configuration, etc). I confirmed my syslog setting in the PAN and they're identical to what they were before the upgrade and the listening port on my syslog server was up, any ideas? I ensured log at session end was the same, the destination IP/port were correct, and the service route was that of my inside interface, is there something different in PANOS 6 that needs to be configured differently?
Thanks for any input...
03-04-2014 03:02 PM
New enhancements in 6.0 related to SYSLOG over TCP or SSL.
You can verify the same from CLI:
admin@PA-4020> show counter management-server
Log action not taken : 1
Logs dropped because not logging: 0
User information from AD read : 2
Certificates information read : 0
License information fetched from update server: 0
Log action syslogs sent : 557 >>>>>>>>>>>>>>>>>>>>>> verify if the counter is incrementing
Sighash refcount : 1
Tunnelhash refcount : 1
URLcat refcount : 1
ip2loc refcount : 1
Related CLI command to ensure that the PAN is generating traffic logs:
> debug log-receiver statistics
> show logging-status
Thanks
03-05-2014 05:39 AM
Hulk.. thanks for your input! I've performed the above commands and see NO syslogs sent. Issuing the debug command the traffic log count is incrementing, but showing the logging status, its reporting the below. I can't figure out what configuration change i need to make to send the logs correctly as it worked fine in 5.x can you assist? (for what it's worth, i have my syslog in the PAN configured for UDP)
xxxxx@pa-200> show counter management-server
Log action not taken : 0
Logs dropped because not logging: 0
User information from AD read : 2
Certificates information read : 0
License information fetched from update server: 0
Log action syslogs sent : 0
Sighash refcount : 6
Tunnelhash refcount : 7
URLcat refcount : 7
ip2loc refcount : 2
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send
Rate(last 1min)
syslog 267428 267428 0 0
0
xxxxxx@pa-200> debug log-receiver statistics
Logging statistics
------------------------------ -----------
Log incoming rate: 0/sec
Log written rate: 0/sec
Corrupted packets: 0
Corrupted URL packets: 0
Logs discarded (queue full): 0
Traffic logs written: 267406
URL logs written: 3
Wildfire logs written: 0
Anti-virus logs written: 0
Spyware logs written: 0
Attack logs written: 0
Vulnerability logs written: 0
Fileext logs written: 27
URL cache age out count: 0
URL cache full count: 0
URL cache key exist count: 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Log Forward count: 0
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send
Rate(last 1min)
syslog 267436 267436 0 0
0
snmp 0 0 0 0
0
email 0 0 0 0
0
raw 0 0 0 0
0
xxxxxx@pa-200> debug log-receiver statistics
Logging statistics
------------------------------ -----------
Log incoming rate: 1/sec
Log written rate: 1/sec
Corrupted packets: 0
Corrupted URL packets: 0
Logs discarded (queue full): 0
Traffic logs written: 267410
URL logs written: 3
Wildfire logs written: 0
Anti-virus logs written: 0
Spyware logs written: 0
Attack logs written: 0
Vulnerability logs written: 0
Fileext logs written: 27
URL cache age out count: 0
URL cache full count: 0
URL cache key exist count: 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Log Forward count: 0
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
show logging-status
--------------------------------------------------------------------------------
---------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded
Last Seq Num Acked Total Logs Fwded
--------------------------------------------------------------------------------
---------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
>Log Collector
Not Sending to Log Collector
03-05-2014 02:03 PM
Might sound lame, but what about log forwarding profile?
Is it still the same?
03-07-2014 04:38 AM
Yeah... sure is. That's what i can't figure out, seems odd and is driving me crazy... I haven't changed anything from the previous version, but also noticed I can only ping my internal DNS and default gateway server when I SSH'd to the management console all of which are on the same class-c subnet, as are my other servers and workstations.My syslog forwarding profile is to my internal log analyzer on standard port udp 514 and my service route is configured for 'source interface any' and source address as 192.168.0.1/24
03-07-2014 07:35 AM
I just upgraded a PA4020 to 6.0 and I'm seeing similar behavior. The last event time we received on our SIEM platform from the 4020 was 5 minutes before the upgrade, yesterday.
Yet another PA QA fail.
03-07-2014 08:22 AM
Ouch...I feel like we should create a community checklist for their QA department. Things they need to make sure are working before they release an update.
03-07-2014 12:10 PM
I've opened a case with Palo Alto and have sent tech support files, but as a only have standard support I'm sure it'll take some time to address. I'm glad (in an odd way) that i'm not the only one seeing this problem as I've reconfigured syslog settings on the PAN, syslog server, ports, and firewall configs all with the same results.
03-07-2014 11:12 PM
we got problems with syslog after upgrading to 6.0
We fixed that using service route for Syslog Destination Tab.Except using this we had problems.Although there was a source interface choosen for syslog, we also used Destination Tab.With that it worked.
I opened a case,I think there is a bug here.
03-08-2014 08:59 AM
Thanks for the input on the destination tab, I'm now receiving syslogs! Hopefully this will get addressed soon.
03-10-2014 06:31 AM
I've been burned by this and I already rolled back to 5.0.11 on my PA4020. I'll be waiting for a few revs of 6.0 to be out before I take another swing at that piñata.
03-11-2014 06:42 AM
robg303 - I just upgraded my PA4020 from 5.0.11 to 6.0.1, and I can confirm the syslog issue has been fixed. The log source now comes in to our SIEM as the hostname of the box instead of the IP address, so there was a moment of panic when we thought the issue wasn't fixed in 6.0.1, but I can confirm that the issue does indeed seem to be fixed.
We are getting lots and lots of syslog from our PA4020 (close to 1 million events in the past 30 minutes).
03-11-2014 08:43 AM
FYI.
PAN OS 6.0.1 - Addressed Issues
60816- Following an upgrade to PAN-OS 6.0.0, syslog connection status warnings for all defined syslog connections appeared in the system log every hour and were categorized as critical. This was caused by a scheduled hourly rotation of the syslog-ng log file, during which the syslog-ng daemon would restart. This issue has been fixed by adding a condition to the log file rotation process requiring the log file to be 10 MB or more and the connection status warning will only be seen once every few months.
60011-When a User ID Agent Setup template was pushed from Panorama to a managed device, the application content updates were not available for viewing or cloning in the syslog filters list in the web interface (Device > User Identification > User Mapping > User ID Agent Setup > Syslog Filters).
Thanks
03-14-2014 06:48 AM
I've upgraded to PANOS 6.01, set the Service Route Configuration for Syslog as Source Interface=Any, and Source Address to be my internal class-c Network. Upon removing the Destination tab information where the destination is my syslog Server IP, source Interface=Any, and Source Interface being the default Gateway IP I'm still only seeing configuration logs items, so it's basically the same issue moving to 6.0.1. If I modify the Destination tab back to what it was previously, i then begin to see Traffic logs again being sent to my firewall analyzer/syslog. If version 6.0.1 correct the issues where I don't have to many put in the destination for my syslog, is there something i'm missing here?
03-18-2014 09:03 AM
This is a bug that is currently being worked on. This only affects configurations where the syslog server must be reached through a dataplane interface. The workaround at this time is as you noted, creating a specific destination service route to your syslog server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
