Palo Alto Networks Knowledgebase: Viewing the Log Collector system log in the Panorama appliance

Viewing the Log Collector system log in the Panorama appliance

6406
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:01 AM
Cortex Data Lake Panorama
Resolution

Issue

 After upgrading we're unable to see the system log sent from the Log Collector in the Panorama appliance. (Both the Panorama appliance and the Log Collector were upgraded.)


Even if "request log-fwd-ctrl action start-from-lastack device" is performed, the issue is not resolved.

The issue is seen if the Local Log Collector configuration has been deleted before upgrading PAN-OS.

 

Cause
When upgrading M-100 (Panorama) fails initialization due to missing the sdb variable.
This variable is set when pushing the configuration to the collector group.
However, if there is no local log collector and a collector group which contains this log collector, then the collector group commit cannot happen.


Resolution

Add the Panorama as a Log Collector, and create a Collector Group which contains the Log Collector. 

Commit the change to Panorama and push the config to the collector group.
Then remove the collector group and the log collector and commit the changes to Panorama.

The sdb variable will persistent even if the local Log Collector is deleted after the variable is set.

 

Steps to recovery


Register the M-100 Panorama appliances as Local Log Collectors

 

  1. Log in to the GUI of the M-100 Panorama, then Click Panorama > Managed Collector.
  2. Click Add, Input S/N of the Primary Panorama to Collector S/N, then click OK.
    Confirm that the S/N is displayed in the "Serial Number" column in the GUI.
  3. Click Add, then Input S/N of the Secondary Panorama (if there is one) to Collector S/N, then click OK.
    Confirm that the S/N is displayed in the "Serial Number" column in the GUI.
  4. Click Commit, then Select Panorama in Commit Type radio button. Click OK.
    Confirm that the result is OK with the message "Configuration commited successfully."
  5. Click Collector Name added in step 2, then click the Disks tab in the Collector dialog.
  6. Click Add and add whole Disk Pairs (A,B,C, and D) to the Enabled Disk Pair field.
  7. Click Collector Name which was added in step 3, then click Disks tab in the Collector dialog.
  8. Click Add and add whole Disk Pairs (A,B,C, and D) to the Enabled Disk Pair field.
  9. Click Commit, then select Panorama in Commit Type radio button, then click OK.
    Confirm that the result is OK with the message "Configuration commited successfully."

 

Add the M-100 Panorama Appliances (Local Log Collector) to the Collector Group

 

  1. Click Panorama > Collector Groups.
  2. Click Add, then input the Collector Group name (e.g. "Panorama_LLC_1") at General > Name in the Collector Group dialog,
  3. Click Device Log Forwarding, then input the Collector Group name (e.g. "Panorama_LLC_1") at General > Name, then click Add under Collector Group Members and add Primary and Secondary Panorama appliance names as log collectors.
  4. Click Commit, then select Panorama in Commit Type radio button, then click OK.
    Confirm that the result is OK with the message "Configuration commited successfully."
  5. Click Commit again, then Select Collector Group in Commit Type radio button.
  6. Check whole Collector Groups, then click OK.
    Confirm the message "commit succeeded."
     

Check System log forwarding recovery

  1. Click Monitor > Logs > System. Confirm that there are Log Collector S/Ns in the Device SN column.
  2. Log in to Primary Panorama via the CLI, then perform "> show logging-status S/N of the Log Collector>"

 

> show logging-status device [S/N of the Log Collector]

Type Last Log Rcvd Last Seq Num Rcvd Last Log Generated
config N/A N/A N/A
system 2016/05/13 17:32:00 2301 2016/05/13 17:32:00
threat
N/A N/A N/A
traffic 2016/05/13 17:53:25 2301 2016/05/13 17:52:13
hipmatch N/A N/A N/A

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZrCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language