High volume of "Alert | Strata Logging Service Log Forwarding - HTTPS/Syslog server disconnected" alerts received.

• Unexpected number of email alerts for log forwarding app disconnections over HTTPS or Syslog are received.
• The frequency of the alerts can vary from a few alerts a week or daily depending on the type of issue.
• Here, the logs are received on the remote server as expected and no loss of logs are reported.
• Example snippet of an email alert for a HTTPS server profile. 

The HTTPS server with uri: https://remote-server.customer.com/services/collector is not receiving logs due to the following error: "Connection reset".

Please check that your HTTPS server is up and running, and check your config at the Cortex Hub (https://apps.paloaltonetworks.com).

If you are still unable to receive the logs, please contact support by creating a case on our Customer Support Portal (CSP) : https://support.paloaltonetworks.com/"

• Strata Logging Service (Formerly Cortex Data Lake)
• Log forwarding App
• Status Notification enabled

• The alert is generated when Strata Logging Service is unable to reach the remote server. 
• If the remote server admin reports no loss of logs and the log streaming is working fine with consistent disconnection alerts, contact the server admin to check if there are any issues which cause intermittent connection problems.
• The reason no logs loss is reported is that the Strata Logging Service will attempt to send the logs as soon as the connectivity is restored. 
• If the connection errors out due to invalid response from the server end, A notification is generated every 60 minutes until connectivity is restored. This would explain why sometimes the alert is generated but there is no actual loss of logs.

1. If there is no log loss and the alerts continue, It indicates a problem on the server end and not on the Strata Logging Service.
2. Note down the timestamps of the email alerts received. 
3. Check with the server admin for any issues with the server response during that time window (60 minutes). 
4. If the high number of alerts are not desired and no solution can be found to the server disconnection issues, The log forwarding profile can be edited to remove the status notification if the server end is already monitored for loss of logs as a workaround. 

• Check the Palo Alto Networks Cloud status page to confirm there is no widespread issue at the time. 
• If the connectivity is completely broken, troubleshoot on the server end and check the parameters to fix the connectivity and SSL connection issues.
• Following documents will help to identify the problem based on error.
  • Log Forwarding Connection Errors
  • Server Certificate Validation