Log forwarding from CDL to Splunk stops or intermittent flow

Log forwarding from CDL to Splunk stops or intermittent flow

4513
Created On 02/02/24 21:34 PM - Last Modified 10/24/24 19:33 PM


Symptom


  • Intermittent issue where Splunk did not receive logs from CDL
  • CDL Dashboard for log forwarding showed incomplete or intermittent flow

Environment


  • Firewall
  • Log Forwarding
  • CDL
  • Splunk

 

Cause


One or more causes lead to the issue where log forwarding stops occasionally. 

  • Unstable TCP connection between CDL and Splunk server
  • SSL/TLS issues due to certificate expiry or failed SSL negotiation between CDL and Splunk syslog server
  • If there any underlying issues of CDL backend which affects “Log forwarding mechanism” 

Resolution


There are many issues that could affect the log forwarding. Its important to investigate issues from both Splunk and CDL to maintain a stable connection. Here is a list of few examples 

  1. Ensure a stableTCP/SSL connection between Splunk and CDL. Unstable connection leads to loss of data where the mechanism may not be re-sending the lost syslog messages. 
  2. Ensure that the cert is valid 
  3. A network connectivity test will rule out one data point  

Additional Information


Strata Logging Service Forward Logs to a Syslog Server
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Wx5CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language