Panorama is unable to fetch the log from Strata Logging Service (SLS) or Cortex Data Lake (CDL)

Panorama is unable to fetch the log from Strata Logging Service (SLS) or Cortex Data Lake (CDL)

10619
Created On 01/10/23 02:03 AM - Last Modified 05/30/25 20:03 PM


Symptom


  • Error in /var/log/pan/logging-services-jobs.log
Error String  : No matching results found! Empty hits array in Response
  • Error in /var/log/pan/reportd.log
process_json_query_result: Cloud resp return empty hits array, no matching data found !!

 

Environment


  • Palo Alto Firewalls
  • Prisma Access Firewalls
  • Panorama
  • Cloud Services Plugin
  • Strata Logging Service

Cause


There are multiple reasons as to why the log is not appearing on Panorama:

  • The duplicate logging is enabled on the Firewalls and the Firewalls are forwarding their logs to the cloud and to the Log Collectors.
  • In some multi-tenant environments, there can be incorrect mapping of the Panorama's Serial Number with the SLS instance.
  • If Panorama is deployed in High Availability, and both Panorama devices are not added to the SLS inventory.

Resolution


  1. Verify that the log is actually visible in the Cloud
    Login to the Hub portal, then Launch the SLS app.
    Go to the "Explore" tab and confirm that the log is present.

 

  1. Verify that the "Logging Service" license is valid.
    On Panorama CLI run the command
> request license info
request-license-info

 

  1. Verify that the ports are opened, to allow Panorama to access the cloud. Refer Activation-and-onboarding/planning/ports-and-fqdns.
  1. Verify that Panorama has the correct certificate, and that the connectivity with the cloud is OK
    On Panorama CLI run the command
> request plugins cloud_services logging-service status
request plugins cloud_services

 

  1. Verify the certificate details and status.
    On Panorama CLI run the command
> show plugins cloud_services panorama-certificate status
show plugins cloud_services

 

  1. (Prisma Only) Verify that Panorama is fetching the information from the correct Tenant ID and the response status is "success".
    On Panorama CLI run the command
    Then, login to the SLS Web dashboard and verify the Tenant ID matches with the Tenant ID returned in the command below
> debug plugins cloud_services gpcs echo-test
debug plugins cloud_services

 

  1. Verify that the Duplicate Logging is not enabled on the firewalls.
    If duplicate logging is enabled, the log in SLS will not be retrieved from the cloud by Panorama. Panorama queries only for log that is not duplicated, and this behaviour cannot be modified.
SELECT * FROM panw.traffic ORDER BY time_generated DESC WHERE ((( is_dup_log is MISSING ) OR ( is_dup_log = 0 )

 

  1. Verify on the SLS Web portal, in the inventory section, that all the Panorama serial numbers are added, including the Primary and Secondary panorama devices.

 

  1. Verify that the High Availability configuration on the HA pair of Panorama has the other peer's serial number
    Panorama > High Availability > Setup > Peer HA Serial 
peer-ha

 

Additional Information


Troubleshooting Admin Guide
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kG9bCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language