Broker VM Syslog Collector Port Configuration Limitation
708
Created On 09/22/25 18:55 PM - Last Modified 09/22/25 19:07 PM
Symptom
- There were no errors shown in the anubis log (logs -> anubis -> sensor.log), however when checking further in the logs, in cloud_sync.log (located in logs directory) for any general applet issues, we have seen following error:
2025/07/29 16:36:20 | ERROR | sirius_client_http.py | 806701 | Failed to handle config response for applet anubis
Traceback (most recent call last):
File "/opt/zenith/common/utils/ufw_utils.py", line 55, in _run_ufw_command
return run_command_in_subprocess(cmd)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/zenith/common/utils/process_utils.py", line 84, in run_command_in_subprocess
raise e
common.utils.process_utils.ZenithSubprocessError: Command 'ufw allow anubis' returned non-zero exit status 1.
stderr: WARN: Skipping 'anubis': value too long for 'ports'
ERROR: Could not find a profile matching 'anubis'
stdout: N/A.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/zenith/common/utils/ufw_utils.py", line 55, in _run_ufw_command
return run_command_in_subprocess(cmd)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/zenith/common/utils/process_utils.py", line 84, in run_command_in_subprocess
raise e
common.utils.process_utils.ZenithSubprocessError: Command 'ufw allow anubis' returned non-zero exit status 1.
stderr: WARN: Skipping 'anubis': value too long for 'ports'
ERROR: Could not find a profile matching 'anubis'
stdout: N/A.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/zenith/zenith_cloud/sirius_client_http.py", line 412, in _handle_applets
self._handle_config_response(config_response, applet_name, is_node_state_changed)
File "/opt/zenith/zenith_cloud/sirius_client_http.py", line 494, in _handle_config_response
self._handle_applet_config(config_response, applet_name)
File "/opt/zenith/zenith_cloud/sirius_client_http.py", line 576, in _handle_applet_config
set_applet_conf(applet_name, applet_conf)
File "/opt/zenith/common/utils/applets_utils.py", line 329, in set_applet_conf
_allow_applet_bound_ports_in_ufw(applet_name, ports)
File "/opt/zenith/common/utils/applets_utils.py", line 507, in _allow_applet_bound_ports_in_ufw
update_app_ports(applet_name, ports)
File "/opt/zenith/common/utils/ufw_utils.py", line 85, in update_app_ports
allow_app(app_name)
File "/opt/zenith/common/utils/ufw_utils.py", line 45, in allow_app
_run_ufw_command(f'ufw allow {app_name}', app_name=app_name)
File "/opt/zenith/common/utils/ufw_utils.py", line 64, in _run_ufw_command
return _run_ufw_command(cmd, app_name=app_name, should_restart=False)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/zenith/common/utils/ufw_utils.py", line 65, in _run_ufw_command
raise UFWRunException(f'Failed to run ufw command, command {cmd} - exit code {e.returncode}\n'
common.utils.ufw_utils.UFWRunException: Failed to run ufw command, command ufw allow anubis - exit code 1
stdout:
stderr WARN: Skipping 'anubis': value too long for 'ports'
ERROR: Could not find a profile matching 'anubis'
Environment
Cortex XSIAM
Cortex XDR
Cause
The root cause was identified as a limitation in the number of ports that can be configured for Syslog, with a hard limit of 100 ports. Since then, the official documentation has been updated:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Activate-Syslog-Collector
"A Syslog Collector configuration supports up to 100 ports."
Resolution
Please ask the customer to reduce the number of configured Syslog ports.
Additional Information
N/A