Download all logs to help you troubleshoot Prisma Access Agent
issues.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
NGFW (Managed by Panorama)
Check the prerequisites for the deployment you're
using
Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
If you can't resolve Prisma Access Agent warnings or errors, you can remotely
download the Prisma Access Agent logs to help you troubleshoot and identify
the processes that triggered the issues on the agent.
The debug logging mechanism for the Prisma Access Agent collects debug logs
from critical Prisma Access Agent processes and maintains them on disk. You or
someone on the Palo Alto Networks team can use the logs to identify and fix problems
with the agent.
Log Locations
Prisma Access Agent logs are automatically generated and provide an audit trail
for any user activity on the agent and any change of state of the agent. The logs
are generated and sent to Strata Logging Service.
On the endpoint, the Prisma Access Agent logs are in the following
locations:
In addition, Prisma Access Agent log entries are available in other
locations:
On macOS, you can look in the system logs for Prisma Access Agent log
entries. Ensure you have admin privileges.
Issue the following command in a shell to show the system log entries within
the last number of
minutes:
log show --last <number>m
Issue the following command in a shell to show you the live system
logs:
log stream
You can use the grep command to filter the logs.
On Windows, debug logs that are rated as Critical or Error are sent to the
Windows system event log, which you can access using the Event Viewer.
Log Filenames
You can conveniently generate the Prisma Access Agent logs using ManagePrisma Access Agent in Strata Cloud Manager and download the log bundle to your computer
for analysis. This way, you don't have to physically access an end user's device,
and the end user does not have to manually collect the logs and send them to
you.
The logs that are collected reside in the several folders in the log bundle. The logs
for macOS and Windows Prisma Access Agents are structured slightly
differently.
The following image shows an example of the macOS agent log bundle:
The following image shows an example of the Windows agent log bundle:
Logs—A folder that contains the Prisma Access Agent
system logs and user
logs.
<user>—A folder that contains user-related Prisma Access Agent logs:
pachecker.log—Shows the agent management
token activity
Pacli.log—Shows the command-line activity
for the PACli tool
PAUI_<username>.log—Shows
the activity for the Prisma Access Agent app
System—A folder that contains system-related Prisma Access Agent logs:
ADEM_install_<timestamp>.log and
ADEM_uninstall_<timestamp>.log—Logs
that show installation or installation activity for the Autonomous DEM
agent.
NetworkManager.log—Logs that show network
activity with forwarding profile rule matches. When the log
exceeds the maximum file size (10.5 MB), the log is rotated to a
numbered log.
PACompliance.log—Logs for HIP compliance.
When the log exceeds the maximum file size (14 KB), the log is
rotated to a numbered log.
PAS.log—Logs for the Prisma Access Service
(PASrv), which is the backend service for the Prisma Access Agent. When the log exceeds the maximum file
size (10.5 MB), the log is rotated to a numbered log.
PrismaAccessAgentLog.etl—Event trace logs
(Windows agents only). When the log exceeds the maximum file
size (26.2 MB), the log is rotated to a numbered log.
remote-shell.log—Shows any remote session
activity from a remote
shell.
Upgrade_<timestamp>.log—Shows any
upgrade activity for the agent.
DEM—Autonomous DEM logs (if installed on the
endpoint)
Machine Info—Contains information about an endpoint, such
as the firewall rules, system information, route table, net stat log, ipconfig
log (Windows), installed applications log, DNS cache log, and user groups log.
For the macOS agent, the Machine Info logs are merged under
the Logs folder. For the Windows agent, the MSI
Logs folder contains the agent installation
logs.
Pacli Output—Contains output files that a user generated
using the PACli tool, such as the pacli_traffic_show.log,
which shows the traffic forwarding rules in a forwarding profile, and the
pacli_traffic_log.log, which shows the network
connection (traffic routing) log. The Pacli Output folder
also contains the logs for agent status
(pacli_agent_status.log), agent management plane (EPM)
status (pacli_epm_status.log), and tunnel information
(pacli_tunnel.log).
Crash Dump Files
When critical executables crash on your operating system, crash dump files are
created. You can use development tools to analyze these files to pinpoint the exact
problem in the code.
On macOS, crash files are created in the
~/Library/Logs/DiagnosticReports folder. Crash
files with the following naming patterns are created:
PASrv-<yyyy-mm-dd-hhmmss>.ips
PASrv_<yyyy-mm-dd-hhmmss>_<hostname>.crash
On Windows, a crash dump file is created in the C:\ProgramData\Palo
Alto Networks\Prisma Access Agent\Logs folder. The names of
the crash dump file typically have the following naming pattern:
PASrv.exe.<nnnn>.dmp
Verbosity Level
The Prisma Access Agent logs are available in six levels of verbosity. You can
determine how much detail to include in the agent logs by specifying the verbosity
level. The following table shows the verbosity level of the agent logs, from the
least verbose to the most verbose. Each level contains all the levels of verbosity
that come before it.
Verbosity Level
Description
Purpose
Example Entries
off
No debug logging occurs
N/A
N/A
critical
Only critical issues are logged
For errors that might be unrecoverable and require engineering or
support attention
error while trying to run
PASRV/PACLI
Cannot generate the HIP
report
error
All error conditions are logged
For issues that might be fixable with IT support help, such as a
misconfiguration of the agent
connect failed due to
timeout
cannot get audit log entry
{}
warn
All warnings and errors are logged
For errors that don't cause the agent to crash
error while reading from config_file, use
default configuration
epm token rejected
info
All information messages are logged
For IT support
connect succeeded
Received upgrade command
debug
Debug logs (default verbosity level after installation)
For Prisma Access Agent Development
error while reading from config_file entry
{}
OpswatUpdateStatusEvent
received
trace
Trace logs
For Prisma Access Agent Development
Contains actual packets flowing from and to the agent. Highly
verbose.
sending 200 bytes through
tunnel
Sent(HTTP) 300 bytes to
1.1.1.1
The verbosity level is stored in the agent's local database and can be changed by
issuing the following command on the end user's device:
pacli loglevel set <trace | debug | info | warn | error | critical | off>
The change takes effect immediately. You can check the verbosity level by issuing the
following command:
pacli loglevel query
Prisma Access Agent Log Collection
In ManagePrisma Access Agent, you can initiate an agent log download, which sends a request to the
Prisma Access Agent to fetch the logs. After the agent receives the
request, the agent will create a zip file containing all the logs and upload it to ManagePrisma Access Agent. The end user does not need to find the logs and send them to the
administrator manually.
Complete the following steps to collect and download Prisma Access Agent log
files in ManagePrisma Access Agent:
Set the
verbosity level
of the logs by running
the following commands:
On macOS:
cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
./pacli loglevel set <trace | debug | info | warn | error | critical | off>
On Windows:
cd "C:\Program Files\Palo Alto Networks\Prisma Access Agent"
pacli loglevel set <trace | debug | info | warn | error | critical | off>
The default verbosity level is debug.
For example, to change the verbosity level to trace on
Windows, issue the following
command:
cd "C:\Program Files\Palo Alto Networks\Prisma Access Agent"
pacli loglevel set trace
You can verify the verbosity level using the following
command:
pacli loglevel query
Generate the Prisma Access Agent log files using ManagePrisma Access Agent:
Select ManagePrisma Access Agent.
(Optional) Set the Time Range for which
you want to view the data. You can select a preset time range or
customize the time range.
In the Devices table, scroll through the list to
find the device or search for a device.
Select the check boxes corresponding to the devices that you want to
work with. You can select up to 20 devices at a time.
The generate agent
logs action is not available to administrators with the View Only
Administrator role.
In the confirmation dialog, click Yes to confirm
the generation of the agent logs.
The Jobs button appears or changes to indicate
that the agent logs generation job has been added to the queue.
If you generated the logs from the device details pane, you must
close the pane to see the Jobs button in the
Devices table.
To view the status of the agent logs generation, click
Jobs. The status of the job appears in the
Remote Jobs window.
The status descriptions are as follows:
Requested—The administrator has initiated the
request. The Prisma Access Agent has not yet acknowledged or
acted on the request.
Pending—The agent has received the request,
and is currently processing the request. The agent acknowledges the
receipt of the command.
Completed—The agent has processed the
request.
Failed—The agent was unable to complete the
request.
Upon completion of the job, click the Download
links to access the Prisma Access Agent logs. The download link
will expire in approximately 24 hours, after which you’ll have to
request a new download link by downloading the logs again. The agent
logs are saved to the download location on your computer.
