Syslog forwarding fails on multi-interface Log Collector
2991
Created On 10/31/22 06:31 AM - Last Modified 10/21/24 19:52 PM
Symptom
The log collector has been deployed to use multiple interfaces.
- Syslog forwarding not happening as configured
- Packet capture shows the TCP session between LC-SIEM is established
Environment
- PAN-OS 10.1
- Log Collector
- Multi-interface configuration
Cause
The IP address configured on the interfaces are in the same subnet.
Resolution
Review the IP Addressing plan so each interface has an IP in their own subnet.
Local Log Collector
- Go to Panorama > Setup > Interfaces
- Click on the interface to edit the interface's IP address
- Update the IP address of the interface
Note: 10.194.40.85/23 and 10.194.40.84/23 were in the same subnet. To resolve the issue the IP address of the interface is changed to be in another subnet. - Click OK
- Commit the configuration change
Dedicated Log Collector
- Go to Panorama > Managed Collector
- Click on the Log Collector
- Click on the Interfaces tab.
- Click on the interface to edit the interface's IP address.
- Update the IP address of the interface
Note: 10.194.41.110/23 and 10.194.41.111/23 were in the same subnet. To resolve the issue the IP address of the interface is changed to be in another subnet. - Click OK
- Commit the configuration change
- Push to the Collector
Note: The syslog server must be reachable using the new IP address configured.
Additional Information
References
Multiple Interfaces for Network Segmentation Example
Log Collector Configuration
How to configure Local Log collector on Panorama running as Panorama Mode