Secondary-Passive Panorama is forwarding logs to external server

Secondary-Passive Panorama is forwarding logs to external server

7068
Created On 01/04/24 02:56 AM - Last Modified 01/18/24 00:53 AM


Symptom


  • 2 Panoramas in a high availability (HA) is configured as Local Log Collector like this figure.
    MutipleLogCollector.png
    For the detail : Multiple Log Collectors Per Collector Group
  • In this deployment, Panorama is forwarding logs to external server, e.g. syslog server, even though HA status is Secondary-Passive.

Environment


  • PAN-OS 10.0 or later.
  • 2 Local Log Collectors are registered in a Collector Group. 
    CollectorGroup.png
  • Preference list is configured in LogCollector to forward logs from Firewall to Log Collectors. Secondary Panorama(LogCollector2) is registered above Panorama1. It indicates LogCollector2 is higher priority. 
  • DeviceLogForwarding.png
  • Collector Log Forwarding is configured to forward logs to syslog server in Collector Group.
    CollectorLogForwarding.png
  • Enabled Log Redundancy in Collector Group.

Cause


  • A firewall will forward logs to only LogCollector as per the preference list.
  • If two LogCollectors are configured in the list, only the LogCollector with a higher priority forwards syslogs.
  • With this configuration, LogCollector2 should handle syslog LogForwarding, even if the status of Panorama is Secondary-Passive in HA.
  • These CLI commands can be used to check which LogCollector is receiving the logs.
From Firewall: 
admin@PA-VM> show log-collector preference-list

Log Collector Preference List
Forward to all: No
Serial Number: 000XXXXXXX02 IP Address: 10.10.10.146 IPV6 Address: unknown   <<---!! LogCollector2 is higher priority
Serial Number: 000XXXXXXX01 IP Address: 10.10.10.6 IPV6 Address: unknown

From Panorama1(primary-active): 
admin@Panorama1(primary-active)> debug log-collector log-collection-stats show incoming-logs 


Detail counts by logtype:
traffic:0  <<---!! Not receiving logs
config:0
system:0
threat:0
.....

From Panorama2(secondary-passive): 
admin@Panorama2(secondary-passive)> debug log-collector log-collection-stats show incoming-logs

Last time logs received Wed Jan  3 18:38:20 2024

Incoming log rate =   1.00  <<---!! Receiving logs

Detail counts by logtype:
traffic:59  <<---!! 
config:0
system:0
threat:0
.....

 

Resolution


  • If you need  to forward logs from Primary-Active Panorama only, please modify the preference list.
  • Palo Alto Networks recommends adding at least three Log Collectors to a Collector Group to avoid split brain and log ingestion issues should one Log Collector go down. For the reference : Caveats for a Collector Group with Multiple Log Collectors
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhPrCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language