Syslog server is not receiving any logs from Prisma SaaS/Data Security.

Syslog server is not receiving any logs from Prisma SaaS/Data Security.

181
Created On 01/24/25 04:12 AM - Last Modified 10/28/25 06:31 AM


Symptom


  • A syslog server configuration has been done on the Data security for Prisma SaaS /Data security to send logs to external syslog server using the doc.
  • The configuration was successful but the syslog server is not receiving any logs at all. 
  • No errors are shown on the Strata Cloud manager or Data security management UI.

Environment


  • Prisma SaaS
  • Data Security/ CASB (Cloud Access Security Broker)

Cause


  • There can be multiple causes for this problem.
  • The syslog server might not be allowing the Prisma SaaS public IP's on their upstream firewalls. 
  • The server might not be returning a TLS certificate in the connection as required by the Prisma SaaS.

Resolution


  1. Allow the Prisma SaaS IP's for respective region on the Syslog server network infrastructure.
  2. Configure the certificate on the server side to match the Prisma SaaS requirements as mentioned in this document.
  3. Check this article for general guidance on service side certificate configuration.

Additional Information


  • If the ports are open to the syslog server from Internet, the administrator can perform following tests to validate if the server returns the expected certificate.
  • If the ports are not open to public Internet, the administrator can add a specific trusted IP and perform the test from there.
  • Example when the server does not return a TLS certificate. 
    openssl s_client -connect x.x.x.x:1514
Connecting to x.x.x.x
CONNECTED(00000003)
write:errno=104
---
no peer certificate available. <<<<<<<<<<<<<
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 299 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
  • Example when the server does return a TLS certificate (In this condition, the server should receive the syslogs) 
    # openssl s_client -connect x.x.x.x:1514
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, ST = CA, L = San Francisco, O = Customer, CN = CustomerCommonCA, emailAddress = 
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = CA, L = San Francisco, O = Customer, CN = CustomerCommonCA, emailAddress = 
verify error:num=67:CA certificate key too weak
verify return:1


Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PR69CAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail