- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-10-2023 01:14 PM
10-10-2023 01:15 PM
I'm configuring a lab NGFW and Panorama. Virtual on ESXi. My problem is that I have configured log forwarding as well as I can based on the articles I found, and the logs do not seem to be making it to Panorama. Show logging command from the NGFW:
admin@PA-VM> show logging-status verbose yes
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
Log Collector : 000710015859
Conn ID : lr-10.1.16.190-2
Connection IP : 10.1.16.190
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Active
DNS :
msg : Successfully resolved FQDN for connid (lr-10.1.16.190-2-def), IP (10.1.16.190)
status : success
timestamp : 2023/10/07 19:45:38
Registration :
msg : Successful registration with lr-10.1.16.190-2-def
status : success
timestamp : 2023/10/07 19:45:39
SSL :
msg : ssl channel established
status : success
timestamp : 2023/10/07 19:45:39
TCP :
msg : tcp connection established
status : success
timestamp : 2023/10/07 19:45:38
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic 2023/09/06 05:48:28 2023/10/10 12:34:26 7273362867636814750 0 12864
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config 2023/09/28 12:46:18 2023/10/10 12:34:58 7282416426768400408 0 31
system 2023/09/26 12:28:26 2023/10/10 13:11:02 7282416426768418241 0 87466
globalprotect Not Available Not Available 0 0 0
Log Collector : 000710015859
Conn ID : lr-10.1.16.190
Connection IP : 10.1.16.190
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Active
DNS :
msg : Successfully resolved FQDN for connid (lr-10.1.16.190-def), IP (10.1.16.190)
status : success
timestamp : 2023/10/07 19:45:38
Registration :
msg : Successful registration with lr-10.1.16.190-def
status : success
timestamp : 2023/10/07 19:45:39
SSL :
msg : ssl channel established
status : success
timestamp : 2023/10/07 19:45:39
TCP :
msg : tcp connection established
status : success
timestamp : 2023/10/07 19:45:38
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic 2023/09/06 05:51:23 2023/10/10 12:34:40 7273362867636814813 0 14180
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config 2023/09/28 15:30:56 2023/10/10 12:35:03 7282416426768400419 0 36
system 2023/09/26 12:33:53 2023/10/10 13:11:11 7282416426768418320 0 95533
globalprotect Not Available Not Available 0 0 0
Log Collector : 000710015859
Conn ID : lr-10.1.16.190-1
Connection IP : 10.1.16.190
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Active
DNS :
msg : Successfully resolved FQDN for connid (lr-10.1.16.190-1-def), IP (10.1.16.190)
status : success
timestamp : 2023/10/07 19:45:38
Registration :
msg : Successful registration with lr-10.1.16.190-1-def
status : success
timestamp : 2023/10/07 19:45:39
SSL :
msg : ssl channel established
status : success
timestamp : 2023/10/07 19:45:39
TCP :
msg : tcp connection established
status : success
timestamp : 2023/10/07 19:45:38
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic 2023/09/06 05:51:38 2023/10/10 12:34:41 7273362867636814834 0 17518
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config 2023/09/28 13:22:56 2023/10/10 12:35:01 7282416426768400414 0 42
system 2023/09/26 12:32:03 2023/10/10 13:11:08 7282416426768418290 0 116134
globalprotect Not Available Not Available 0 0 0
Log Collector : 000710015859
Conn ID : lr-10.1.16.190-4
Connection IP : 10.1.16.190
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Active
DNS :
msg : Successfully resolved FQDN for connid (lr-10.1.16.190-4-def), IP (10.1.16.190)
status : success
timestamp : 2023/10/07 19:45:38
Registration :
msg : Successful registration with lr-10.1.16.190-4-def
status : success
timestamp : 2023/10/07 19:45:39
SSL :
msg : ssl channel established
status : success
timestamp : 2023/10/07 19:45:39
TCP :
msg : tcp connection established
status : success
timestamp : 2023/10/07 19:45:38
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic 2023/09/06 05:52:43 2023/10/10 12:34:46 7273362867636814862 0 15516
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config 2023/09/28 12:46:42 2023/10/10 12:34:59 7282416426768400410 0 38
system 2023/09/26 12:35:44 2023/10/10 13:11:15 7282416426768418335 0 106035
globalprotect Not Available Not Available 0 0 0
Log Collector : 000710015859
Conn ID : lr-10.1.16.190-3
Connection IP : 10.1.16.190
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Active
DNS :
msg : Successfully resolved FQDN for connid (lr-10.1.16.190-3-def), IP (10.1.16.190)
status : success
timestamp : 2023/10/07 19:45:38
Registration :
msg : Successful registration with lr-10.1.16.190-3-def
status : success
timestamp : 2023/10/07 19:45:39
SSL :
msg : ssl channel established
status : success
timestamp : 2023/10/07 19:45:39
TCP :
msg : tcp connection established
status : success
timestamp : 2023/10/07 19:45:38
Conn Uptime : 0
Re-conn Count : 0
Rate : 0 logs/sec
traffic 2023/09/06 05:52:53 2023/10/10 12:34:47 7273362867636814864 0 12060
threat Not Available Not Available 0 0 0
hipmatch Not Available Not Available 0 0 0
gtp-tunnel Not Available Not Available 0 0 0
auth Not Available Not Available 0 0 0
iptag Not Available Not Available 0 0 0
userid Not Available Not Available 0 0 0
sctp Not Available Not Available 0 0 0
decryption Not Available Not Available 0 0 0
config 2023/09/28 15:30:32 2023/10/10 12:35:03 7282416426768400418 0 30
system 2023/09/26 12:29:29 2023/10/10 13:11:04 7282416426768418259 0 79773
globalprotect Not Available Not Available 0 0 0
admin@PA-VM>
10-10-2023 03:16 PM
Hello @RRussellSplunk
thanks for post!
Could you confirm whether logs are received by log collector by this command in Panorama: show logging-status device <FW SN> ?
Also, check that Firewall and Panorama have the same time/time zone. KB for reference.
Kind Regards
Pavel
10-12-2023 11:15 AM
admin@Panorama> show logging-status device NNNNNNNNNNNNNN
Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
Source IP : 3
Destination IP : 10.1.16.190
Source Daemon : logrcvr
Connection Id : 007951000393837-log-collection-lr-10.1.16.190-3-def
Log rate: 0
config N/A N/A N/A
system N/A N/A N/A
threat N/A N/A N/A
traffic N/A N/A N/A
hipmatch N/A N/A N/A
gtp-tunnel N/A N/A N/A
userid N/A N/A N/A
iptag N/A N/A N/A
auth N/A N/A N/A
sctp N/A N/A N/A
decryption N/A N/A N/A
globalprotect N/A N/A N/A
Source IP : 4
Destination IP : 10.1.16.190
Source Daemon : logrcvr
Connection Id : 007951000393837-log-collection-lr-10.1.16.190-4-def
Log rate: 0
config N/A N/A N/A
system N/A N/A N/A
threat N/A N/A N/A
traffic N/A N/A N/A
hipmatch N/A N/A N/A
gtp-tunnel N/A N/A N/A
userid N/A N/A N/A
iptag N/A N/A N/A
auth N/A N/A N/A
sctp N/A N/A N/A
decryption N/A N/A N/A
globalprotect N/A N/A N/A
Source IP : 2
Destination IP : 10.1.16.190
Source Daemon : logrcvr
Connection Id : 007951000393837-log-collection-lr-10.1.16.190-2-def
Log rate: 0
config N/A N/A N/A
system N/A N/A N/A
threat N/A N/A N/A
traffic N/A N/A N/A
hipmatch N/A N/A N/A
gtp-tunnel N/A N/A N/A
userid N/A N/A N/A
iptag N/A N/A N/A
auth N/A N/A N/A
sctp N/A N/A N/A
decryption N/A N/A N/A
globalprotect N/A N/A N/A
Source IP : Default
Destination IP : 10.1.16.190
Source Daemon : logrcvr
Connection Id : 007951000393837-log-collection-lr-10.1.16.190-def
Log rate: 0
config N/A N/A N/A
system N/A N/A N/A
threat N/A N/A N/A
traffic N/A N/A N/A
hipmatch N/A N/A N/A
gtp-tunnel N/A N/A N/A
userid N/A N/A N/A
iptag N/A N/A N/A
auth N/A N/A N/A
sctp N/A N/A N/A
decryption N/A N/A N/A
globalprotect N/A N/A N/A
Source IP : 1
Destination IP : 10.1.16.190
Source Daemon : logrcvr
Connection Id : 007951000393837-log-collection-lr-10.1.16.190-1-def
Log rate: 0
config N/A N/A N/A
system N/A N/A N/A
threat N/A N/A N/A
traffic N/A N/A N/A
hipmatch N/A N/A N/A
gtp-tunnel N/A N/A N/A
userid N/A N/A N/A
iptag N/A N/A N/A
auth N/A N/A N/A
sctp N/A N/A N/A
decryption N/A N/A N/A
globalprotect N/A N/A N/A
Source IP : Default
Destination IP : Default
Source Daemon : unknown
Connection Id : 007951000393837
Log rate: 0
config N/A N/A N/A
system N/A N/A N/A
threat N/A N/A N/A
traffic N/A N/A N/A
hipmatch N/A N/A N/A
gtp-tunnel N/A N/A N/A
userid N/A N/A N/A
iptag N/A N/A N/A
auth N/A N/A N/A
sctp N/A N/A N/A
decryption N/A N/A N/A
globalprotect N/A N/A N/A
admin@Panorama>
10-12-2023 11:17 AM
The GUI shows both are set to timezone US/Pacific
10-12-2023 06:25 PM
Hello @RRussellSplunk
thank you for reply.
From output you provided, it looks like Panorama is not getting logs. Could you please run this command on Firewall: show log-collector preference-list ? If the output of this command does not return log collector's IP address, then could you restart management process on Firewall?
Also make sure that on Panorama side all changes are committed and pushed to log collector group.
Further details are described in this KB: Firewall not sending logs to correct log collector.
Kind Regards
Pavel
10-16-2023 12:17 PM
Output of command:
admin@PA-VM> show log-collector preference-list
Log Collector Preference List
Forward to all: No
Serial Number: 000710015859 IP Address: 10.1.16.190 IPV6 Address: unknown
Tried a reboot of the firewall, and the output of that command is the same after the reboot.
Logs still do not appear to be making it to Panorama after the reboot.
Reading through the KB you sent. Will report back.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!