Increased Syslog Volume Observed After Upgrading to PAN-OS 11.1

Increased Syslog Volume Observed After Upgrading to PAN-OS 11.1

595
Created On 01/07/26 11:40 AM - Last Modified 03/25/26 21:08 PM


Symptom


  • Increased Syslog Volume Observed After Upgrading to PAN-OS 11.1.
  • The number of TCP connections to the syslog server are higher than the previous versions.
  • Syslog traffic is dropped as the number of connections exceeds that value supported on Syslog server.

Environment


  • Next Gen Firewalls
  • PAN-OS 11.1.X or higher
  • External Syslog Servers

Cause


  • Syslog in PAN-OS 11.1.x has been improved from the previous versions.
  • The number of connections to syslog server is determined by sdb cfg.logfwd.syslog-threads parameter.
  • This value determines the number of the TCP connection between the syslog server and the firewall and it is working per VSYS basis.
  • Example:
    • Palo Alto Firewall is configured with six virtual systems.
    • sdb cfg.logfwd.syslog-threads parameter is configured with 6.
    • Here the number of the connections between the Syslog Servers and Palo Alto Firewall will be maximum 36 connections ( 6 Virtual System x 6 Syslog Threads ).
  • Due to the increased number of threads one may see the increased number of connections/traffic.

Resolution


  1. Determine the number of connections supported by the External Syslog Server.
  2. Configure sdb cfg.logfwd.syslog-threads based on the number of Virtual Systems configured on the Firewall and stay within the limits of external syslog server.
  3. Check with “debug log-receiver statistics” command if there are any drops for the syslog forwarding after adjusting sdb cfg.logfwd.syslog-threads parameter.
  4. If needed, you might need to increase the task-queue size as well.

Configuration:

  1. To display the configured syslog thread (Per vsys).
    • debug log-receiver param-tuning syslog-threads show 
    1. To configure the syslog threads (per vsys).
      • debug log-receiver param-tuning syslog-threads size XX >> (value between 1-16)
      1. To configure task queue.
        • debug log-receiver param-tuning task-queue size XX >>(value between 2048-999999)

        Additional Information


        Test Scenario1:

        • In the the illustration below, there is one virtual system configured on the Palo Alto Firewall.
        • sdb cfg.logfwd.syslog-threads parameter is set to 2.
        • It established two TCP connections towards the Syslog Server as expected.
        • ( 1 Virtual System x 2 Logfw Syslog Thread = Max 2 TCP Connections )

        Test Scenario2:

        • In the illustration below, there are two virtual systems configured on the Palo Alto Firewall.
        • sdb cfg.logfwd.syslog-threads parameter is set to 2.
        • It established four TCP connections towards the Syslog Server as expected.
        • ( 2 Virtual System x 2 Logfw Syslog Thread = Max 4 TCP Connections )
        Other users also viewed:
        Actions
        • Print
        • Copy Link

          https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000oLyNKAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail