UDP Syslog Forwarding not working
3815
Created On 07/16/24 18:25 PM - Last Modified 01/30/25 22:26 PM
Symptom
- Multiple Syslog server profiles are configured
- "FW-DMZ-SYSLOG" profile is used to forward logs to the concerned syslog server.
- Even though the log settings and filter concerned with the profile "FW-DMZ-SYSLOG" are correct, but the log forwarding still does not work.
<shared><log-settings><profiles><entry name="LogForward"><match-list><entry name="LogForward-traffic"><send-syslog><member>: FW-DMZ-SYSLOG
<shared><log-settings><profiles><entry name="LogForward"><match-list><entry name="LogForward-traffic"><log-type>: traffic
<shared><log-settings><profiles><entry name="LogForward"><match-list><entry name="LogForward-traffic"><filter>: All Logs
<shared><log-settings><profiles><entry name="LogForward"><match-list><entry name="LogForward-traffic"><send-to-panorama>: no
<shared><log-settings><profiles><entry name="LogForward"><match-list><entry name="LogForward-traffic"><quarantine>: no
- The firewall is not communicating with the syslog server configured over UDP.
- No Traffic was seen in packet capture/tcpdump.
- When running "debug log-receiver statistics" command under "External Forwarding stats" there is a 0 count for Syslog.
FW> debug log-receiver statistics
Logging statistics
------------------------------ -----------
Log incoming rate: 64/sec
Log written rate: 58/sec
......
External Forwarding stats:
Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min)
syslog 0 0 0 0 0
snmp 0 0 0 0 0
email 0 0 0 0 0
raw 0 0 0 0 0
http 0 0 0 0 0
autotag 0 0 0 0 0
quarantine 0 0 0 0 0
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- Log-forwarding
- Syslog
Cause
- All the log forwarding goes through the FSM (finite state machine) to determine whether the forwarding should be done or not. The FSM evaluates all the filters defined in the log forward settings.
- If any of the filters is invalid, the FSM is not initialized hence no log forwarding will ever performed.
- The running-config contains an invalid config for log forwarding. The filter for "FW-SYSLOG" is incorrect. It should be "All Logs", not "All LogsFW".
<shared><log-settings><system><match-list><entry name="FW-SYSLOG"><send-syslog><member>: FW-SYSLOG
<shared><log-settings><system><match-list><entry name="FW-SYSLOG"><filter>: All LogsFW
<shared><log-settings><system><match-list><entry name="SYSTEM-SYSLOG"><send-syslog><member>: FW-DMZ-SYSLOG
<shared><log-settings><system><match-list><entry name="SYSTEM-SYSLOG"><filter>: All Logs
Resolution
- To edit the filter type go to " Device > Log Settings" > "System > click on "name". This will open a new window.
- In the new window go to "Filter" and select "ALL Logs"
- Commit the changes.
Additional Information
The following error messages are noticed in logrcvr.log (less mp-log logrcvr.log)
var/log/pan/logrcvr.log.old
-0700 Error: pan_log_query_parse_nolock(pan_log_query.c:13191): query: (All LogsFW)
-0700 Error: _query_grp_mgr_add_lq_query_str(pan_query_grp.c:490): Error parsing query:(All LogsFW) in grp_mgr:query-fsm-grp-mgr-0
-0700 Error: pan_query_grp_mgr_add_query_str(pan_query_grp.c:599): Error adding lq query to query_grp_mgr:query-fsm-grp-mgr-0
-0700 Error: pan_init_fsm_2(pan_log_handler.c:9499): Failed to add filter (All LogsFW) to query_grp_mgr
-0700 Error: _logrcvr_fsm_init(pan_log_receiver.c:21758): FSM init failed. Log forwarding will not work
-0700 after init FSM in _logrcvr_fsm_init(): fsm: (nil), grp_mgr: (nil), match_arr: (nil)
-0700 Error: pan_log_config_phase1(pan_log_receiver.c:15326): could not initialize FSM, log forwarding will not work!