Log forwarding does not work if filtering settings are incorrect.

Log forwarding does not work if filtering settings are incorrect.

4436
Created On 03/29/23 07:26 AM - Last Modified 11/07/23 03:04 AM


Symptom


  • Syslog / SNMP trap / Email profiles were set in the log forwarding profile with filtering configuration. However the device does not send logs to any forwarding server.
  • In logrcvr.log (less mp-log logrcvr.log) seeing "log forwarding will not work".
2023-03-30 13:06:38.233 +0900 Error: _pan_log_query_parse_single_expr(pan_log_query.c:11780): no function available for fieldname IncorrectValue and op 0 for logtype 3 
2023-03-30 13:06:38.233 +0900 Error: pan_log_query_parse_single_expr(pan_log_query.c:12576): failed to parse term: IncorrectValue eq informational first round, try address expansion 
2023-03-30 13:06:38.234 +0900 Error: pan_log_query_parse_single_expr(pan_log_query.c:12589): pan_log_query_parse_single_expr, cannot find idx for IncorrectValue 
2023-03-30 13:06:38.234 +0900 Error: pan_config_parse(pan_log_query.y:116): unable to parse single expr: IncorrectValue eq informational 
2023-03-30 13:06:38.234 +0900 Error: pan_log_query_parse_nolock(pan_log_query.c:12881): Invalid operator eq for field IncorrectValue 
.
.
2023-03-30 13:06:38.235 +0900 Error: pan_init_fsm_2(pan_log_handler.c:9483): Failed to add filter (logset eq 'LogForwardingTEST1') AND (vsys eq 'vsys1') AND ((IncorrectValue eq informational)) to query_grp_mgr 
2023-03-30 13:06:38.236 +0900 Error: _logrcvr_fsm_init(pan_log_receiver.c:21003): FSM init failed. Log forwarding will not work 
2023-03-30 13:06:38.236 +0900 after init FSM in _logrcvr_fsm_init(): fsm: (nil), grp_mgr: (nil), match_arr: (nil) 
2023-03-30 13:06:38.236 +0900 Error: pan_log_config_phase1(pan_log_receiver.c:15042): could not initialize FSM, log forwarding will not work!
  • The count in the External Forwarding stats section is still 0 in the "debug log-receiver statistics" command.
> debug log-receiver statistics

Logging statistics
------------------------------ -----------
Log incoming rate:             0/sec
Log written rate:              0/sec
Corrupted packets:             0
Corrupted URL packets:         0
Corrupted HTTP HDR packets:    0
Corrupted HTTP HDR Insert packets: 0
Corrupted EMAIL HDR packets:   0
Logs discarded (queue full):   0
Traffic logs written:          38
.
.
<output truncated>
.
.
External Forwarding stats:
      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send Rate(last 1min)
    syslog              0              0              0              0                        0
      snmp              0              0              0              0                        0
     email              0              0              0              0                        0
       raw              0              0              0              0                        0
      http              0              0              0              0                        0
   autotag              0              0              0              0                        0
quarantine              0              0              0              0                        0
      amqp              0              0              0              0                        0

Environment


  • PA-Series Next-Generation Firewall

Cause


  • Incorrect or misspelled Filter set under the GUI--> Objects--> Log Forwarding--> Log forwarding Profile--> Log Forwarding Profile Match List. 
kb11.png

Resolution


Make sure correct filters are selected for log forwarding. If necessary, use "Filter Builder" to create filters.
 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHYmCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail