Secondary-Passive Panorama is forwarding logs to external server

• 2 Panoramas in a high availability (HA) is configured as Local Log Collector like this figure.
  
  For the detail : Multiple Log Collectors Per Collector Group
• In this deployment, Panorama is forwarding logs to external server, e.g. syslog server, even though HA status is Secondary-Passive.

• PAN-OS 10.0 or later.
• 2 Local Log Collectors are registered in a Collector Group. 
  
• Preference list is configured in LogCollector to forward logs from Firewall to Log Collectors. Secondary Panorama(LogCollector2) is registered above Panorama1. It indicates LogCollector2 is higher priority. 
• 
• Collector Log Forwarding is configured to forward logs to syslog server in Collector Group.
  
• Enabled Log Redundancy in Collector Group.

• A firewall will forward logs to only LogCollector as per the preference list.
• If two LogCollectors are configured in the list, only the LogCollector with a higher priority forwards syslogs.
• With this configuration, LogCollector2 should handle syslog LogForwarding, even if the status of Panorama is Secondary-Passive in HA.
• These CLI commands can be used to check which LogCollector is receiving the logs.

admin@PA-VM> show log-collector preference-list

Log Collector Preference List
Forward to all: No
Serial Number: 000XXXXXXX02 IP Address: 10.10.10.146 IPV6 Address: unknown   <<---!! LogCollector2 is higher priority
Serial Number: 000XXXXXXX01 IP Address: 10.10.10.6 IPV6 Address: unknown

admin@Panorama1(primary-active)> debug log-collector log-collection-stats show incoming-logs 


Detail counts by logtype:
traffic:0  <<---!! Not receiving logs
config:0
system:0
threat:0
.....

admin@Panorama2(secondary-passive)> debug log-collector log-collection-stats show incoming-logs

Last time logs received Wed Jan  3 18:38:20 2024

Incoming log rate =   1.00  <<---!! Receiving logs

Detail counts by logtype:
traffic:59  <<---!! 
config:0
system:0
threat:0
.....

• If you need  to forward logs from Primary-Active Panorama only, please modify the preference list.
• Palo Alto Networks recommends adding at least three Log Collectors to a Collector Group to avoid split brain and log ingestion issues should one Log Collector go down. For the reference : Caveats for a Collector Group with Multiple Log Collectors