PANOS 6 Syslog Different?

cancel
Showing results for 
Search instead for 
Did you mean: 

PANOS 6 Syslog Different?

Not applicable

I'm running a PA-200, recently upgraded to PANOS6.0, and noticed I'm not receiving traffic logs to my syslog server. When on 5.x of PANOS I was receiving change configuration, traffic logs, etc to my syslog/firewall analyzer application ManageEngine FirewallAnalyzer, but after upgrading to 6.0, I'm only receiving config messages (restarts, change to configuration, etc). I confirmed my syslog setting in the PAN and they're identical to what they were before the upgrade and the listening port on my syslog server was up, any ideas? I ensured log at session end was the same, the destination IP/port were correct, and the service route was that of my inside interface, is there something different in PANOS 6 that needs to be configured differently?

Thanks for any input...

15 REPLIES 15

L7 Applicator

New enhancements in 6.0 related to SYSLOG over TCP or SSL.


You can verify the same from CLI:

admin@PA-4020> show counter management-server

Log action not taken            :          1

Logs dropped because not logging:          0

User information from AD read   :          2

Certificates information read   :          0

License information fetched from update server:          0

Log action syslogs sent         :        557 >>>>>>>>>>>>>>>>>>>>>> verify if the counter is incrementing

Sighash refcount                :          1

Tunnelhash refcount             :          1

URLcat refcount                 :          1

ip2loc refcount                 :          1


Related CLI command to ensure that the PAN is generating traffic logs:

> debug log-receiver statistics

> show logging-status

Thanks

Hulk.. thanks for your input! I've performed the above commands and see NO syslogs sent. Issuing the debug command the traffic log count is incrementing, but showing the logging status, its reporting the below. I can't figure out what configuration change i need to make to send the logs correctly as it worked fine in 5.x can you assist? (for what it's worth, i have my syslog in the PAN configured for UDP)

xxxxx@pa-200> show counter management-server

Log action not taken            :          0

Logs dropped because not logging:          0

User information from AD read   :          2

Certificates information read   :          0

License information fetched from update server:          0

Log action syslogs sent         :          0

Sighash refcount                :          6

Tunnelhash refcount             :          7

URLcat refcount                 :          7

ip2loc refcount                 :          2

External Forwarding stats:

      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send

Rate(last 1min)

    syslog         267428         267428              0              0

              0

    

xxxxxx@pa-200> debug log-receiver statistics

Logging statistics

------------------------------ -----------

Log incoming rate:             0/sec

Log written rate:              0/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          267406

URL logs written:              3

Wildfire logs written:         0

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    0

Fileext logs written:          27

URL cache age out count:       0

URL cache full count:          0

URL cache key exist count:     0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward count:             0

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

Summary Statistics:

Num current drop entries in trsum:0

Num cumulative drop entries in trsum:0

Num current drop entries in thsum:0

Num cumulative drop entries in thsum:0

External Forwarding stats:

      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send

Rate(last 1min)

    syslog         267436         267436              0              0

              0

      snmp              0              0              0              0

              0

     email              0              0              0              0

              0

       raw              0              0              0              0

              0

xxxxxx@pa-200> debug log-receiver statistics

Logging statistics

------------------------------ -----------

Log incoming rate:             1/sec

Log written rate:              1/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          267410

URL logs written:              3

Wildfire logs written:         0

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    0

Fileext logs written:          27

URL cache age out count:       0

URL cache full count:          0

URL cache key exist count:     0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward count:             0

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

Summary Statistics:

Num current drop entries in trsum:0

Num cumulative drop entries in trsum:0

Num current drop entries in thsum:0

Num cumulative drop entries in thsum:0

show logging-status

--------------------------------------------------------------------------------

---------------------------------------------

      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded

Last Seq Num Acked         Total Logs Fwded

--------------------------------------------------------------------------------

---------------------------------------------

> CMS 0

        Not Sending to CMS 0

> CMS 1

        Not Sending to CMS 1

>Log Collector

        Not Sending to Log Collector

Might sound lame, but what about log forwarding profile?

Is it still the same?

Yeah... sure is. That's what i can't figure out, seems odd and is driving me crazy... I haven't changed anything from the previous version, but also noticed I can only ping my internal DNS and default gateway server when I SSH'd to the management console all of which are on the same class-c subnet, as are my other servers and workstations.My syslog forwarding profile is to my internal log analyzer on standard port udp 514 and my service route is configured for 'source interface any' and source address as 192.168.0.1/24

L4 Transporter

I just upgraded a PA4020 to 6.0 and I'm seeing similar behavior. The last event time we received on our SIEM platform from the 4020 was 5 minutes before the upgrade, yesterday.

Yet another PA QA fail.

Ouch...I feel like we should create a community checklist for their QA department.  Things they need to make sure are working before they release an update.

Not applicable

I've opened a case with Palo Alto and have sent tech support files, but as a only have standard support I'm sure it'll take some time to address. I'm glad (in an odd way) that i'm not the only one seeing this problem as I've reconfigured syslog settings on the PAN, syslog server, ports, and firewall configs all with the same results.

we got problems with syslog after upgrading to 6.0

We fixed that using service route for Syslog Destination Tab.Except using this we had problems.Although there was a source interface choosen for syslog, we also used Destination Tab.With that it worked.

I opened a case,I think there is a bug here.

Thanks for the input on the destination tab, I'm now receiving syslogs! Hopefully this will get addressed soon.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!