How to check debug level for all daemons ?
Objective
How to check what level of logging is configured for all the services?
Environment
- Palo Alto Firewall only.
- Any PAN-OS ( for version 10.2 and later , there are changes in processes , please see Additional Information)
Procedure
- Following are the list of Logging levels
- info
- warn
- error
- debug
- dump
- normal
- The following command lists the logging level for all the services.
debug software logging-level show level service all-services
> debug software logging-level show level service all-services
masterd - s1.mp.2562-0 - info
sysdagent - s1.mp.2687-0 - info
plugin_api_server - s1.mp.2692-0 - info
dagger - s1.mp.2686-1 - info
ehmon - s1.mp.2742-0 - info
chasd - s1.mp.2743-1 - info
vm_agent - s1.mp.2691-3 - info
brdagent - s1.mp.2959-0 - info
crypto - s1.mp.3183-0 - info
comm - s1.mp.3328-28 - error
tund - s1.mp.3348-28 - info
bfd - s1.mp.3346-28 - info
sdwand - s1.mp.3345-28 - info
mprelay - s1.mp.3347-28 - info
dha - s1.mp.3384-28 - info
useridd - s1.mp.4245-1 - info
ha_agent - s1.mp.4551-1 - debug
l2ctrl - s1.mp.4550-0 - info
ifmgr - s1.mp.4548-0 - info
satd - s1.mp.4552-0 - info
pppoe - s1.mp.4556-0 - warn
dnsproxy - s1.mp.4555-0 - warn
rasmgr - s1.mp.4546-0 - info
dhcp - s1.mp.4554-0 - info
keymgr - s1.mp.4547-1 - info
varrcvr - s1.mp.4549-2 - info
sslmgr - s1.mp.4553-2 - info
logrcvr - s1.mp.4545-1 - info
routed - s1.mp.4557-1 - info
ikemgr - s1.mp.4544-1 - info
authd - s1.mp.4558-0 - debug
devsrvr - s1.mp.4242-3 - info
unknown - s1.mp.4775-2 - warn
snmpd - s1.mp.4573-0 - warn
satd - s1.mp.4552-2 - info
unknown - s1.mp.4875-2 - warn
unknown - s1.mp.4876-2 - warn
unknown - s1.mp.4874-2 - warn
web_backend - s1.mp.4508-2 - warn
mgmtsrvr - s1.mp.4290-0 - info
mgmtsrvr - s1.mp.4290-2 - info
unknown - s1.mp.15400-2 - info
unknown - s1.mp.15399-2 - info
sslvpn - s1.mp.15913-0 - info
sslvpn - s1.mp.15913-2 - info
unknown - s1.mp.13170-3 - error
- Certain services (like ha_agent and authd) are configured by default with debug logging level. Others (like dnsproxy and web_backend) are configured by default with warn logging level.
- To restore the logging level to default the following command works on most of the services listed above:
> debug software logging-level set level default service all-services
> debug management-server on info
> debug routing global on infoto check the debug level use:
> debug management-server show management-server debug:info Features: > debug routing global show sw.routed.runtime.debug.level: info
Note: Depending on the running PAN-OS version, the general command that restores all services to their default log level might change the log level for the "management-server" and "routed" daemon to debug. Make sure to issue the individual commands for those two daemons to revert them to their default log level, which is info.
Additional Information
The logging level normal is equivalent to info: some daemons will show logging level normal in the individual "show" command but info in the general/global "show" command.
Process has been renamed. With PAN-OS 10.2 all instances of masterd in the CLI were replaced with md.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/changes-to-default-behavior/changes-to-default-behavior-in-pan-os-10-2
Also starting with 10.2.x , appweb3(ssl-vpn) daemon has been replaced with gpsvc daemon due to internal architectural process changes.
There is also another daemon introduced which is gp_broker which facilitates gpsvc communication with certain PAN-OS daemons.