Unable to Save Syslog Server Profile with Error “Operation Failed: Node can be at most 2048 Characters”
6606
Created On 03/21/23 19:16 PM - Last Modified 12/06/23 02:44 AM
Symptom
- Configure Syslog Server Profile
- Click "OK" after configuration.
- Error message "Operation Failed: Node can be at most 2048 Characters" message is displayed
Example: In example below, the threat log format has a current length of 2344 characters and error message is displayed.
Environment
- Palo Alto Firewalls or Panorama
- PAN-OS 10.2.0
- Syslog Profile
Cause
- CEF custom log formats have been defined within the syslog server profile configuration
- The length of some of them have surpassed the number of characters supported (2048)
Resolution
Delete the non-printable characters from the CEF style format causing the issue.
- STEP 1. Identify the log type causing the issue. This can be found in the Operation Failed window received when trying to save the Syslog Server Profile configuration.
- STEP 2. In the Syslog Server Profile window navigate to Custom Log Format tab and look for the log type at hand. Click the log format area in order to edit.
- STEP 3. In the Edit Log Format window copy the CEF custom log format and paste it in a text editor like Notepad++ or Sublime Text.
- STEP 4. Enable the text editor to show non-printable characters. When directly copying/pasting CEF log formats from PAN-OS integration PDF guides, it is common to see CR/LF characters appended to the end of each line.
The process to show non-printable characters is different between text editors. For Notepad++ navigate to View > Show Symbol > Show All Characters.
- STEP 5. Manually delete CR/LF characters using the text editor and paste the cleared output in the Edit Log Format window. Select OK to save changes, then select OK in the Syslog Server Profile window.
- STEP 6. If the issue persists after removing non-printable characters, it will be needed to delete some fields from the log to keep reducing the length to less than 2048 characters.
In this example, the following fields were removed from Threat log:
PanDstEDL=$dst_edl PanGPHostID=$hostid PanEPSerial=$serialnumber PanSrcDAG=$src_dag PanDstDAG=$dst_dag PanHASessionOwner=$session_owner PanTimeHighRes=$high_res_timestamp PanASServiceType=$nssai_sst PanASServiceDiff=$nssai_sd
Refer Syslog Field Descriptions for description ofeach field depending on the log type:
- STEP 7. Paste the cleared output in the Edit Log Format window. Select OK to save changes, then select OK in the Syslog Server Profile window. If the length of the CEF style format is under 2048 characters, the configuration should be saved with no errors.
Additional Information
The information is documented in CEF Configuration Guide
Note: Starting with release 10.0, the log format documented for log types (Traffic, Threat, URL, Decryption) exceeds the maximum supported 2048 characters in the Custom Log Format tab on the firewall and Panorama. Please select the CEF keys and values to limit the number of characters to 2048 as per your requirements.