Log Collector Setting Does Not Clear on the Palo Alto Networks Firewall
Resolution
Issue
Once Palo Alto Networks firewall is configured to forward logs to a Log Collector, the preference remains on the firewall even after the setup is changed to not use that Log Collector.
For example, a Palo Alto Networks device was connected to M-100 Log Collector which IP address was 10.128.18.55.
The followings are the command output on Palo Alto Networks device.
> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
> Log Collector
'Log Collector log forwarding agent' is active and connected to 10.128.18.55
config Not Available Not Available 0 0 0
system Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
traffic 2014/07/10 17:49:05 2014/07/10 17:49:17 795511 795443 8286
hipmatch Not Available Not Available 0 0 0
> show log-collector preference-list
Log collector Preference List
Serial Number: 003001000638 IP Address: 10.128.18.55 IPV6 Address:
Then, the M-100 Log Collector was taken away from the network without committing the changes to Log Collector group. The setting of Palo Alto Networks device was changed to connect to Panorama-VM which IP address is 10.128.18.50 and there's no Log Collector in this case. The Palo Alto Networks device still tries to connect to the M-100 Log Collector (10.128.18.55). This symptom persists even after rebooting the device.
The following are logs and command output on Palo Alto Networks device:
> less mp-log ms.log
Jan 21 15:27:49 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:509): COMM: cannot connect. remote ip=10.128.18.55 port=3978 err=Connection refused(111) sock=14
Jan 21 15:27:49 Error: pan_lcsa_tcp_channel_setup(src_panos/lcs_agent.c:414): Could not get log collector local address for socket:0
> show log-collector preference-list
Log collector Preference List
Serial Number: 003001000638 IP Address: 10.128.18.55 IPV6 Address:
> show logging-status
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
> Log Collector
'Log Collector log forwarding agent' is active but not connected
config Not Available Not Available 0 0 0
threat Not Available Not Available 0 0 0
traffic Not Available Not Available 0 409746 0
hipmatch Not Available Not Available 0 0 0
Resolution
Run following CLI commands on the Palo Alto Networks firewall to delete the Log Collector preference list:
- Delete the Log Collector preference list:
> delete log-collector preference-list - Restart the management server:
> debug software restart management-server
owner: ymiyashita