10-02-2025 01:17 PM
Has anyone run into a problem with Traffic Logs not returning any results with a certain period of a larger time range? I have been running a daily traffic analysis of a particular destination network (do to a vendor issue). Today's analysis of yesterdays traffic partially failed as a roughly 15min period is completely missing from the Traffic Logs returned using the query filter:
(addr.dst in xx.xx.xx.0/24) and ( receive_time geq '2025/10/01 00:00' ) and ( receive_time leq '2025/10/01 23:59:59' ) and !( addr.src in 'yy.yy.yy.70' )
This query should return all traffic on 10/1 destinated to the xx.xx.xx.0/24 network, excluding a specific local source yy.yy.yy.70. But all logs received between 11:07:54-11:24:25 are missing from the results (roughly 10000 lines). If the source exclusion is removed from the query, then all expected results appear. If the log filter time range is narrowed to shortly before and after the time range, the results are still missing. If the log filter start time is within the missing period, none of the missing logs appear, regardless if the source exclusion is there or not.
Has anyone seen this before? After extensive testing, it seems to be some sort of deep seated log parsing error, but I haven't been able to identify a source cause yet.
10-03-2025 07:30 PM
Hi @Adrian_Jensen ,
I’ve seen situations where applying certain filters like exclusion filters in traffic log searches can cause gaps where some logs don’t appear, even though the data is present. This has been tied to under the hood bugs in certain PAN-OS versions and is addressed in later releases.
In my own experience (previously with an MSP monitoring alerts), I ran into the same behavior and had to lean on third-party SIEMs for advanced queries or large-scale analytics.
A good path forward would be to confirm your current PAN-OS version (since upgrades often resolve these issues), and in parallel, consider whether forwarding logs to an external system could give you more flexibility with the type of analysis you’re running. Also, id create a support ticket for this to bring awareness to the issue for the particular code that you are running.
10-04-2025 02:58 AM
Hi,
it can be related to the following,
PAN-273026 Fixed an issue where traffic logs did not display correctly when filters
were applied
Regards
10-04-2025 08:21 PM
Interesting. The PAN-273026 issue looks very similar to what I am seeing. I am currently running the 10.2.9-h21 release. After looking extensively at the known and address issue notes, PAN-274026 seems to only appear in 11.1 and 11.2, and the 10.2.9-h21 release was after some of the 11.x fixed releases. So it is unclear if this PAN even affects 10.2. I have a support ticket open and am waiting for a call to show the error after some previous support suggestions did not seem to apply.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
