Palo Alto Networks Knowledgebase: Log Collector Setting Does Not Clear on the Palo Alto Networks Firewall

Log Collector Setting Does Not Clear on the Palo Alto Networks Firewall

15573
Created On 02/07/19 23:48 PM - Last Updated 02/07/19 23:48 PM
Cortex Data Lake Panorama
Resolution

Issue

Once Palo Alto Networks firewall is configured to forward logs to a Log Collector, the preference remains on the firewall even after the setup is changed to not use that Log Collector.

For example, a Palo Alto Networks device was connected to M-100 Log Collector which IP address was 10.128.18.55.

The followings are the command output on Palo Alto Networks device.

> show logging-status

-----------------------------------------------------------------------------------------------------------------------------

      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded

-----------------------------------------------------------------------------------------------------------------------------

> CMS 0

        Not Sending to CMS 0

> CMS 1

        Not Sending to CMS 1

> Log Collector

'Log Collector log forwarding agent' is active and connected to 10.128.18.55

    config         Not Available         Not Available                        0                   0                        0

    system         Not Available         Not Available                        0                   0                        0

    threat         Not Available         Not Available                        0                   0                        0

   traffic   2014/07/10 17:49:05   2014/07/10 17:49:17                   795511              795443                     8286

  hipmatch         Not Available         Not Available                        0                   0                        0

> show log-collector preference-list

Log collector Preference List

Serial Number: 003001000638 IP Address: 10.128.18.55 IPV6 Address:

Then, the M-100 Log Collector was taken away from the network without committing the changes to Log Collector group. The setting of Palo Alto Networks device was changed to connect to Panorama-VM which IP address is 10.128.18.50 and there's no Log Collector in this case. The Palo Alto Networks device still tries to connect to the M-100 Log Collector (10.128.18.55). This symptom persists even after rebooting the device.

The following are logs and command output on Palo Alto Networks device:

> less mp-log ms.log

Jan 21 15:27:49 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:509): COMM: cannot connect. remote ip=10.128.18.55 port=3978 err=Connection refused(111) sock=14

Jan 21 15:27:49 Error: pan_lcsa_tcp_channel_setup(src_panos/lcs_agent.c:414): Could not get log collector local address for socket:0

> show log-collector preference-list

Log collector Preference List

Serial Number: 003001000638 IP Address: 10.128.18.55 IPV6 Address:

> show logging-status

-----------------------------------------------------------------------------------------------------------------------------

      Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded

-----------------------------------------------------------------------------------------------------------------------------

> CMS 0

        Not Sending to CMS 0

> CMS 1

        Not Sending to CMS 1

> Log Collector

'Log Collector log forwarding agent' is active but not connected

    config         Not Available         Not Available                        0                   0                        0

    threat         Not Available         Not Available                        0                   0                        0

   traffic         Not Available         Not Available                        0              409746                        0

  hipmatch         Not Available         Not Available                        0                   0                        0

Resolution

Run following CLI commands on the Palo Alto Networks firewall to delete the Log Collector preference list:

  1. Delete the Log Collector preference list:
    > delete log-collector preference-list
  2. Restart the management server:
    > debug software restart management-server

owner: ymiyashita



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt9CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language