Debug commands to identify syslog statistics from PAN-OS 6.0

Debug commands to identify syslog statistics from PAN-OS 6.0

58653
Created On 09/26/18 13:49 PM - Last Modified 06/08/23 08:34 AM


Resolution


This document explains the commands used to verify the statistics of logs forwarded /dropped on the firewall from PAN-OS 6.0 and newer

 

1. With command debug syslog-ng stats, we can for forwarded logs and drop counters for the syslog-server

 

> debug syslog-ng stats
 
SourceName;SourceId;SourceInstance;State;Type;Number
destination;d_logsecure;;a;processed;1632
global;payload_reallocs;;a;processed;3140
source;src_traffic;;a;processed;590
source;src_hipmatch;;a;processed;0
source;s_local;;a;processed;1632
global;msg_clones;;a;processed;1490
src.internal;s_local#0;;a;processed;1632
src.internal;s_local#0;;a;stamp;1405463177
destination;dstdevnull;;a;processed;0
destination;dst10;;a;processed;780
global;sdata_updates;;a;processed;0
source;src_system;;a;processed;25
source;src_threat;;a;processed;165
center;;received;a;processed;0
center;;queued;a;processed;0
dst.tcp;dst10#0;10.66.22.247:514;a;dropped;0 <== check for drop counters.
dst.tcp;dst10#0;10.66.22.247:514;a;processed;774
dst.tcp;dst10#0;10.66.22.247:514;a;stored;0
source;src_config;;a;processed;0

 

From PAN-OS 6.0 and later, the debug log-receiver statistics command displays the details of external log forwarding stats as seen in the below output.

 

> debug log-receiver statistics
 
Logging statistics
------------------------------ -----------
Log incoming rate:             1/sec
Log written rate:              1/sec
Corrupted packets:             0
Corrupted URL packets:         0
Logs discarded (queue full):   0
Traffic logs written:          529324
URL logs written:              9233
Wildfire logs written:         0
Anti-virus logs written:       1
Spyware logs written:          0
Attack logs written:           0
Vulnerability logs written:    8
Fileext logs written:          72
URL cache age out count:       2123
URL cache full count:          0
URL cache key exist count:     0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count:  0
Log Forward count:             0
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
 
Summary Statistics:
Num current drop entries in trsum:0
Num cumulative drop entries in trsum:0
Num current drop entries in thsum:0
Num cumulative drop entries in thsum:0
 
External Forwarding stats:
      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send Rate(last 1min)
    syslog         346722         346722              0              0                        0
      snmp              0              0              0              0                        0
     email              0              0              0              0                        0
       raw         346735         346735              0              0                 0

 

The syslog connections and logs processed and forwarded to syslog server can be checked under process syslog-ng.log with the following command:

 

> tail follow yes mp-log syslog-ng.log

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqICAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language