Firewall is not sending logs to syslog with Syslog-ng log showing "Error resolving hostname"
6319
Created On 11/30/23 08:31 AM - Last Modified 12/01/23 16:05 PM
Symptom
- Syslog is not receiving logs from firewall
- Syslog-ng log showing "Error resolving hostname":
Nov 27 06:27:07 FWPA1 syslog-ng[24640]: Error resolving hostname; host='splunk-syslog-ghcc.splunk.example.com' Nov 27 06:27:07 FWPA1 syslog-ng[24640]: Initiating connection failed, reconnecting; time_reopen='5'
- dnsproxy.log showing "Failed to resolve domain name" for syslog hostname:
2023-11-29 10:48:19.383 +0000 Warning: pan_dnsproxy_log_resolve_fail(pan_dnsproxy_util.c:651): Failed to resolve domain name:splunk-syslog-ghcc.splunk.example.com AAAA after trying all attempts to name server(s): 10.250.0.1 10.250.0.2
- Ping to hostname works fine:
user@FWPA1> ping host splunk-syslog-ghcc.splunk.example.com PING splunk-syslog-ghcc.splunk.glblint.example.com (10.240.72.88) 56(84) bytes of data. 64 bytes from splunk-syslog-ghcc.splunk.glblint.example.com (10.240.72.88): icmp_seq=1 ttl=252 time=30.0 ms
Environment
- All platforms
- PANOS 9.1, 10.1.9 or before, 10.2.4 or before
Cause
- Caused by the software issue PAN-208210 where syslog config changes to the IP address or port number were not applied without restarting the management server.
Resolution
- Upgrade to 10.1.10 or later, 10.2.5 or later, 11.0.1 or later
The current available workaround is restarting the management server, with no impact expected in the dataplane:
> debug software restart process management-server
Additional Information
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-10-known-and-addressed-issues/pan-os-10-1-10-addressed-issues