Logs from Firewall are not forwarded to panorama when Cortex Data Lake is enabled

• Firewalls are configured to send logs to Cortex Data Lake (CDL)logging service.
• The logs are not seen on Panorama.
• logrcvr (less mp-log log-receiver.log) logs show continues connection attempts to the Log collectors and CDL.
• CDL log forward was previously used (license expired) or is not used in the customer environment.

• Panorama managed Firewalls
• PAN-OS 10.0+
• Cortex Data Lake (CDL)
• Log Collector

• The CDL is enabled on the Firewall while its not being used or license has expired.
• This setting can be verified on the Firewall using one of the following options.
  • Check SDB setting using CLI :

show system state | match cfg.lcaas.*
cfg.lcaas-enabled: True

• Check the CDL status using CLI : 

​​​​​​> request logging-service-forwarding status

Logging Service Licensed: No
Logging Service forwarding enabled: Yes
Duplicate logging enabled: No
Enhanced application logging enabled: Yes

1. Disable the CDL if enabled and not in use. 
2. This can be done using GUI:   Device > Setup > Management > Cortex Data Lake and 
   • uncheck "Enable Logging Service" and check "Enable Duplicate Logging"
3. Restart the log-receiver process on Firewall using "debug software restart process log-receiver". This will refresh the connection.
4. Check the logging status after a few mins.