: Verify Log Forwarding to Panorama
Focus
Focus

Verify Log Forwarding to Panorama

Table of Contents
End-of-Life (EoL)

Verify Log Forwarding to Panorama

Verify log forwarding to Panorama once you Configure Log Forwarding to Panorama or to the Cortex Data Lake to test that your configuration succeeded.
After you configure log forwarding to Log Collectors, managed firewalls open a TCP connection to all configured Log Collectors. These connections timeout every sixty (60) seconds and do not indicate that the firewall has lost connection to the Log Collectors. When you configure log forwarding to a local or Dedicated Log Collector over a supported ethernet interface, the firewall traffic logs show incomplete sessions despite the firewall being able to successfully connect to the Log Collectors. If you configure log forwarding over the management port, no traffic logs showing incomplete sessions are generated. Traffic logs showing incomplete sessions are generated by all firewalls except for the PA-5200 and PA-7000 series firewalls.
  1. Access the firewall CLI.
  2. If you configured Log Collectors, verify that each firewall has a log forwarding preference list.
    > show log-collector preference-list 
    If the Collector Group has only one Log Collector, the output will look something like this:
    Forward to all: No 
    Log collector Preference List 
    Serial Number: 003001000024 
    IP Address: 10.2.133.48 
    IPV6 Address: unknown 
  3. Verify that each firewall is forwarding logs.
    > show logging-status
    For successful forwarding, the output indicates that the log forwarding agent is active.
    • For a Panorama virtual appliance, the agent is Panorama.
    • For an M-Series appliance, the agent is a LogCollector.
    • For the Cortex Data Lake, the agent is Log CollectionService.. And the
      ‘Log Collection log forwarding agent’ is active and connected to <IP_address>.
  4. View the average logging rate. The displayed rate will be the average logs/second for the last five minutes.
    • If Log Collectors receive the logs, access the Panorama web interface, select PanoramaManaged Collectors and click the Statistics link in the far-right column.
    • If a Panorama virtual appliance in Legacy mode receives the logs, access the Panorama CLI and run the following command: debug log-collector log-collection-stats show incoming-logs
    This command also works on an M-Series appliance.