Log Forwarding to Cortex Data Lake does not work due to a filter setting containing line break.
658
Created On 10/05/22 09:01 AM - Last Modified 11/17/25 20:51 PM
Symptom
A Palo Alto Networks Firewall does not forward logs to Cortex Data Lake, however its connection is established.
admin@PA-VM> request logging-service-forwarding status
--- snip ---
Log Collector : RECEPTR04USSTG
Conn ID : lr-35.187.212.103-3
Connection IP : 35.187.212.103
Conn Source IP : lr - def
High speed mode : Disabled
Connection Status : lr - Active <<<---!!
DNS :
msg : Successfully resolved FQDN for connid (lr-35.187.212.103-3-def), IP (35.187.212.103)
status : success
timestamp : 2022/10/18 09:12:20
Registration :
msg : Successful registration with lr-35.187.212.103-3-def
status : success
timestamp : 2022/10/18 09:12:44
SSL :
msg : ssl channel established
status : success <<<---!!
timestamp : 2022/10/18 09:12:41
TCP :
msg : tcp connection established
status : success <<<---!!
timestamp : 2022/10/18 09:12:20
We can see following error messages in logrcvr.log.
2022-10-05 09:22:06.577 +0900 reset FSM in _logrcvr_fsm_init(): fsm: 0x(nil), grp_mgr: 0x(nil), match_arr: 0x(nil)2022-10-05 09:22:06.577 +0900 Initializing FSM and query group for pos: 0... 2022-10-05 09:22:06.578 +0900 constructed FSM 'query-fsm-0' @ 0x563bdcebeb40 2022-10-05 09:22:06.578 +0900 Error: pan_config_parse(pan_log_query.y:69): Error parse expr 2022-10-05 09:22:06.578 +0900 Error: pan_log_query_parse_nolock(pan_log_query.c:12818): syntax error at Logs 2022-10-05 09:22:06.578 +0900 Error: pan_log_query_parse_nolock(pan_log_query.c:12819): query: (All Logs ) 2022-10-05 09:22:06.578 +0900 Error: _query_grp_mgr_add_lq_query_str(pan_query_grp.c:490): Error parsing query:(All Logs ) in grp_mgr:query-fsm-grp-mgr-0 2022-10-05 09:22:06.578 +0900 Error: pan_query_grp_mgr_add_query_str(pan_query_grp.c:599): Error adding lq query to query_grp_mgr:query-fsm-grp-mgr-0 2022-10-05 09:22:06.578 +0900 Error: pan_init_fsm_2(pan_log_handler.c:9427): Failed to add filter (All Logs ) to query_grp_mgr 2022-10-05 09:22:06.578 +0900 Error: _logrcvr_fsm_init(pan_log_receiver.c:20978): FSM init failed. Log forwarding will not work 2022-10-05 09:22:06.578 +0900 after init FSM in _logrcvr_fsm_init(): fsm: (nil), grp_mgr: (nil), match_arr: (nil) 2022-10-05 09:22:06.578 +0900 Error: pan_log_config_phase1(pan_log_receiver.c:15086): could not initialize FSM, log forwarding will not work!
Environment
Palo Alto Networks Firewalls forwarding logs to Cortex Data Lake.
Cause
A filter of log-settings contains a line break, it causes syntax error.
The following is a sample of the output in configuration.
log-settings {
system {
match-list {
toCDL {
filter "All Logs <<<---!!
";
send-to-panorama yes;
}
}
}
}Resolution
Remove the line break of the Filter string.
GUI : DEVICE > Log Settings > <Log Settings Name>