: Move a Log Collector to a Different Collector Group
Focus
Focus

Move a Log Collector to a Different Collector Group

Table of Contents
End-of-Life (EoL)

Move a Log Collector to a Different Collector Group

M-700, M-600, M-500, M-300, M-200, and Panorama virtual appliances can have one or more Log Collectors in each Collector Group. You assign Log Collectors to a Collector Group based on the logging rate and log storage requirements of that Collector Group. If the rates and required storage increase in a Collector Group, the best practice is to Increase Storage on the M-Series Appliance or Configure a Collector Group with additional Log Collectors. However, in some deployments, it might be more economical to move Log Collectors between Collector Groups.
When a Log Collector is local to an M-700, M-600, M-500, M-300, or M-200 in Panorama mode, move it only if the appliance is the passive peer in a high availability (HA) configuration. HA synchronization applies the configurations associated with the new Collector Group. Never move a Log Collector that is local to the active HA peer.
In any single Collector Group, all the Log Collectors must run on the same Panorama model: all M-700 appliances, all M-600 appliances, all M-500 appliances, all M-300 appliances, all M-200 appliances, or all Panorama virtual appliances.
Log redundancy is available only if each Log Collector has the same number of logging disks. To add disks to a Log Collector, see Increase Storage on the M-Series Appliance.
  1. Remove the Log Collector from Panorama management.
    1. Select PanoramaCollector Groups and edit the Collector Group that contains the Log Collector you will move.
    2. In the Collector Group Members list, select and Delete the Log Collector.
    3. Select Device Log Forwarding and, in the Log Forwarding Preferences list, perform the following steps for each set of firewalls assigned to the Log Collector you will move:
      1. In the Devices column, click the link for the firewalls assigned to the Log Collector.
      2. In the Collectors column, select and Delete the Log Collector.
        To reassign the firewalls, Add the new Log Collector to which they will forward logs.
      3. Click OK twice to save your changes.
    4. Select PanoramaManaged Collectors and then select and Delete the Log Collector you will move.
  2. Configure a Collector Group.
    Add the Log Collector to its new Collector Group and assign firewalls to the Log Collector.
    When you push changes to the Collector Group configuration, Panorama starts redistributing logs across the Log Collectors. This process can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the PanoramaCollector Groups page, the Log Redistribution State column indicates the completion status of the process as a percentage.
  3. Configure Log Forwarding to Panorama for the new Collector Group you configured.
  4. Select CommitCommit and Push to commit your changes to Panorama and push the changes to device groups, templates, and Collector Groups if you have not already done so.