So apparently I must be missing something. I configured Log Forwarding to send it to my Panorama instance, so that when I click on Monitor I can click and view the logs but apparently none of my logs are showing up in Panorama. They show up find on the firewalls but not in Panorama.
I have made sure that all my Log Forwarding profiles have it checked to send to Panorama. The device setup shows it's connected to the correct IP address for the Panorama. I thought that was the two main steps you had to be (besides commiting) but I went ahead and even tried to add it to the Zones for the log setting. I also made sure it was set up in the Policies > Security as well for the events that are getting tripped. I am still not seeing any logs in Panorama.
Is there something else I should try or am I missing something?
For policies, make sure they have a Log Forwarding profile that specifies that sort of traffic be forwarded to panorama
System, Config, HIP, and Correlation logs should be set to forward to panorama under Device -> Log Settings
I have seen instances where the logs do not display in Panorama even though they are forwarded, in this case restarting the configd and management-server processes on panorama fixed it.
Yes, the service restarts would be done via CLI, but if you did not have the forwarding profiles with "Panorama" checked for traffic that would explain why they were not being forwarded.
I assume this was already the case, but policies must be set to log on session start or end in addition to having a forwarding profile. Without that they will, of course, log neither locally or to panorama.
Before restarting the services, there are additional troubleshooting steps you can take, again from the CLI
On the firewall you can verify log forwarding is configured and active:
>show log-collector preference-list
You should see your panorama appliance serial and IP in the configured list
> show logging-status
The output should show a message stating that the log forwarding agent is active
In panorama, you can verify it is recieving the logs
> show logging-status device <firewall serial number>
If it does not indicate current logs, you can have panorama instruct the firewall to restart log forwarding from teh lack acknowledged message:
> request log-fwd-ctrl device <firewall serial number> action start-from-lastack
That generally "fixes" issues where logs are not beign sent at all.
Here are a few articles on the subject in the KB
If you mentioned version numbers I missed it.. this is 8.0 but the process is the same in 7.1
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!