Firewall not sending logs to correct log collector

Firewall not sending logs to correct log collector

98715
Created On 01/03/19 00:47 AM - Last Modified 02/20/19 03:27 AM


Symptom


When running the command "show log-collector preference-list" on a firewall, the ordering is not matching what is configured on Panorama. This causes the firewall to send logs to the incorrect log-collector (LC) if there are multiple LCs residing on the preference list.

By default, the firewalls you assign in a list entry will send logs only to the primary (first) Log Collector as long as it is available. If the primary Log Collector fails, the firewalls send logs to the secondary Log Collector. If the secondary fails, the firewalls send logs to the tertiary Log Collector, and so on.

Example of output: 
admin@Lab34-57-PA-5060> show log-collector preference-list

Forward to all: No
Log collector Preference List

Serial Number: 009201001688 IP Address: 10.46.33.179 IPV6 Address: unknown
Serial Number: 003001000746 IP Address: 10.46.32.114 IPV6 Address: unknown
Note:
003001000746 - Lab32-114-M-100 - 10.46.32.114
009201001688 - Lab33-179-M-100 - 10.46.33.179

The order is incorrect when compared to the Panorama GUI (Panorama > Collector Groups > Collector-Group-Name > Device Log Forwarding).
Log Forwarding Preference on Panorama
 

Environment


  • Firewall
  • Panorama
  • Log-collector

Resolution


Steps to resolve the issue:
  1. On panorama, remove the firewall from the preference list by unchecking the firewall (Panorama > Collector Groups > Collector-Group-Name > Device Log Forwarding > Log Forwarding Preferences > Devices)
Unchecked firewall
  1. Do a commit to the local Panorama and push to the log-collector group
  2. Confirm that when running the command "show log-collector preference-list" on the firewall that the preference no longer exists on the firewall
admin@Lab34-57-PA-5060> show log-collector preference-list

Log collector Preference List does not exist
  1. Restart log-receiver process on the firewall (Note: You will need to reconnect to the firewall management SSH/GUI after executing the command)
admin@Lab34-57-PA-5060> debug software restart process log-receiver
  1. Add back the preference list to the firewall by ticking the checkbox that was unchecked from Step 1.
Adding preference-list back to firewall
  1. Confirm the list has been correctly updated on the firewall by running "show log-collector preference-list"
admin@Lab34-57-PA-5060> show log-collector preference-list

Forward to all: No
Log collector Preference List

Serial Number: 003001000746 IP Address: 10.46.32.114 IPV6 Address: unknown
Serial Number: 009201001688 IP Address: 10.46.33.179 IPV6 Address: unknown

Additional Information


  • Verify the firewall is forwarding logs 
admin@Lab34-57-PA-5060> show logging-status
  • Verify LC is receiving logs
admin@Lab33-179-M-100> show logging-status device <SN value>
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmVlCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail