Cortex Data Lake - Why is my Syslog server not receiving any logs from Cortex Data Lake?
10918
Created On 12/28/20 22:13 PM - Last Modified 07/19/21 21:57 PM
Question
Why is my Syslog server not receiving any logs from Cortex Data Lake?
Environment
- Cortex Data Lake (CDL)
- Palo Alto Firewalls sending Logs to CDL
- CDL configured to forward Logs to multiple External Syslog Servers.
Cortex Data Lake Syslog forwarding:
- 3 different syslog servers configured, all sending the same type of logs to the different servers
- One of the Sylogs servers is not working
Answer
Scenario1:
- Multiple Syslog server profiles are configured for forwarding the same type of logs.
- One of the Syslog servers is not reachable.
- Here no logs are forwarded to any Syslog server and none of them will work. The log forwarding is blocked until you remove the server that isn't working.
- The forwarding job needs to be restarted by DEVOPS once the issue is addressed or the server profile is removed.
Scenario2:
- Multiple Syslog server profiles are configured. Each forwarding a different type of logs (Threat, traffic, system, etc).
- One of the Syslog servers is not reachable (For example, the one configured to forward threat logs).
- The other servers will continue to receive the logs, as there are different job threads to work on different topics to forward the logs.
- In the example noted, the traffic logs and system logs are being forwarded as their Syslog server is working.