CDL forwards same record multiple times to syslog server

CDL forwards same record multiple times to syslog server

4376
Created On 06/20/23 01:14 AM - Last Modified 01/05/24 02:15 AM


Symptom


CDL forwards same record multiple times to syslog server or to email address set in the Log Forwarding Profile

Environment


  • Palo Alto Firewalls
  • Cortex Data Lake
  • Syslog or emails

Cause


  • CDL transfers logs in a batch to the syslog server or email server.
  • if any record in the batch fails to get acknowledgement, CDL retries and sends the entire batch of associated records to syslog.
  • This may cause duplicate records

Resolution


This behavior is as expected due to the way CDL functions when the records are sent to syslog or email server.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bq6aCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language