Palo Alto Networks Knowledgebase: What can Cause a Device to not Generate Traffic Logs

What can Cause a Device to not Generate Traffic Logs

11712
Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM
Resolution

Overview

There can be certain condition where the device is passing traffic but no logs are generated. This article will discuss various troubleshooting steps that can be performed to isolate the issue.


In order to generate traffic logs there must be traffic passing through the device matching a rule that has logging configured. It is recommended to use the default 'log at the session end' but in special cases or for troubleshooting it may be helpful to 'log at session start'. To verify the session is correctly getting marked to log, gather the show session id <id number> and check for the following line: session to be logged at end : True

 

Keep in mind that the session must end for a log to be generated, so if the session is always active there will be no log. If needed you can manually clear the session (clear session id <id number>) to generate a log event.

 

If the session is marked to be logged, the dataplane will send information on the session to the management plane (logrcvr) over an internal link (eth3.251). In order for the DP to open a socket, logrcvr must be listening on port 3012. This can be verified by running netstat in CLI:

> netstat listening yes numeric-ports yes

udp        0      0 *:3012                      *:*

 

While it is rare, there have been reports of internal link problems. The link can be verified by checking output of command:

> debug dataplane internal vif

linketh3.251@eth3: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue

link/ether 00:70:76:69:66:ff brd ff:ff:ff:ff:ff:ff

RX: bytes  packets  errors  dropped overrun mcast       2301374981 2604857  0       0       0       0         

TX: bytes  packets  errors  dropped carrier collsns     1434       21       0       0       0       0  

 

It is important to note the link is UP and that RX bytes/packets are incrementing.

 

Also, if the MTU for the management interface has been changed from 1500 to something smaller e.g. 1400 or 1350, then too the logs may not appear and instead only traffic made up of small packets will be logged (e.g.ping)

 

If it appears logrcvr is receiving data from the DP and logs are still not seen there are some additional steps that can be taken.

 

Ensure the log counter is incrementing

> show counter global filter delta yes | match loglog_traffic_cnt 40431 134 info log system Number of traffic logs

 

Check the status of logrcvr

> show system resources | match logrcvr 2493       20   0  276m  14m 1512 S    0  1.5  26:12.08 logrcvr

 

Restarting the daemon may resolve the problem. If this is a ongoing problem please report it to support for further investigation.

> debug software restart log-receiver

 

Please contact support if the above steps do not resolve your logging issue.

 

owner: sspringer



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmA4CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language