03-13-2022 04:28 PM
Thank you for the post @Deepak25
1.) In this scenario, the only option is to configure new M-200 as a dedicated log collector: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-log-collection/log-collection-...
Since you are using Panorama HA with built in log collectors, there is no option to expend it unless you configure the new M-200 in logger mode and register it to existing Panorama as a dedicated log collector.
2.) Technically the only requirement to add a new log collector to existing log collector group is to have the same hardware which you have. After you register new M-200 to Panorama, you should be able to add it to log collector group under: Panorama > Collector Groups > [Log Collector Group Name] > Collector Group Members > Add
3.) Adding new M-200 will increase capacity, but keep in mind a few points:
- By having the option: "Enable log redundancy across collectors" enabled, a single log will be stored in 2 different log collectors. Please refer to the: "Log Redundancy" in this link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBw7CAG
- New log collector will have this portion of the log: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPcwCAG
- After you add Log Collectors to an existing Collector Group, Panorama redistributes its existing logs across all the Log Collectors, which can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama Collector Groups page, the Log Redistribution State column indicates the completion status of the process as a percentage.
4.) The logs will be ingested by new log collector depending on how you set up device log forwarding in log collector group, then actual log will be stored in 2 log collectors across log collector group by using internal algorithm.
5.) I think, I answered this by above 4 points, but if there is any question, I will try on best effort bases help.
Kind Regards
Pavel Kucera
