Latency observed in log transmission to the syslog server.
489
Created On 09/15/25 16:23 PM - Last Modified 01/29/26 03:16 AM
Symptom
- Delay of approximately 15 minutes in IP-User mapping propagation.
- Syslog queue depth has reached max limit
- Run 'debug log-receiver param-tuning task-queue show' from CLI to get max queue
- Run 'debug log-receiver statistics', under the "External Forwarding stats:" section and "Queue Depth" find the current queue depth.
- Increased syslog drops observed.
- Run 'debug log-receiver statistics' from CLI server times and compare the 'Drop Count' for syslog under the "External Forwarding stats:" section
- Review the logrcvr.log from CLI (> lelss mp-log logrcvr.log) for the following error, indicating the log was dropped due to queue depth being zero.
- LOGFWD: enqueue task to syslog taskq(q_depth 0), log dropped
- Syslog server unable to be reached
- Review the logrcvr.log from CLI (> lelss mp-log logrcvr.log) for the following error, indicating the firewall is unable to connect to the a syslog server.
- Error: _pan_syslog(pan_syslog.c:1727): error in SSL_connect
- Review the logrcvr.log from CLI (> lelss mp-log logrcvr.log) for the following error, indicating the firewall is unable to connect to the a syslog server.
Environment
- Next Gen Firewalls
- PAN-OS: 11.x
- Syslog forwarding
Cause
- One or the other Syslog server is down.
- This is causing the Syslog queue to become full
- This also causes delay in the logs being sent to the working syslog server.
Resolution
Remove/Fix the failing syslog server profile.
Additional Information
- Configure Syslog Monitoring
- Syslog Server Profile
- How To Troubleshoot Connection Failures To Syslog Servers