When you Plan a Log Collection Deployment, you assign Log Collectors to a Collector Group based on the logging rate and log storage requirements of that Collector Group. If the rates and required storage increase in a Collector Group, the best practice is to Increase Storage on the M-Series Appliance or Configure a Collector Group with additional Log Collectors. However, in some deployments, it might be more economical to move Log Collectors between Collector Groups.
The log data on a Log Collector becomes inaccessible after you remove it from a Collector Group. Also, you must perform a factory reset on the Log Collector before adding it to another Collector Group; a factory reset removes all configuration settings and logs. When a Log Collector is local to an M-Series appliance in Panorama mode, move it only if the M-Series appliance is the passive peer in a high availability (HA) configuration. HA synchronization will restore the configurations that the factory reset removes. Never move a Log Collector when it’s local to an M-Series appliance that is the active HA peer. All the Log Collectors in any particular Collector Group must be the same model, such as all M-100 appliances or all M-500 appliances. Log redundancy is available only if each Log Collector has the same number of logging disks. To add disks to a Log Collector, see Increase Storage on the M-Series Appliance.
Move a Log Collector to Different Collector Group
Remove the Log Collector from Panorama management. Select Panorama > Collector Groups and select the Collector Group that contains the Log Collector you will move. Select the Device Log Forwarding tab and, in the Log Forwarding Preferences list, perform the following steps for each set of firewalls assigned to the Log Collector you will move: In the Devices column, click the link for the firewalls assigned to the Log Collector. In the Collectors column, select the Log Collector and click Delete. To reassign the firewalls, Add the new Log Collector to which they will forward logs. Click OK twice to save your changes. Select Panorama > Managed Collectors, select the Log Collector you will move, and click Delete. Click Commit, for the Commit Type select Panorama, and click Commit again. Click Commit, for the Commit Type select Collector Group, select the Collector Group from which you deleted the Log Collector, and click Commit again.
Reset the Log Collector to its factory default settings. Do not interrupt the factory reset or reboot processes. Otherwise, you might render the M-Series appliance unusable. Log in to the CLI of the Log Collector. Enter the following CLI operational command: > debug system maintenance-mode The Log Collector takes approximately six minutes to reboot in maintenance mode. After the Log Collector reboots, press Enter to access the maintenance mode menu. Select Factory Reset and press Enter. Select Factory Reset and press Enter again. The factory reset and subsequent reboot take approximately eight minutes in total, after which the Log Collector won’t have any configuration settings or log data. The default username and password to log in to the Log Collector is admin/admin.
Reconfigure the Log Collector. Perform Initial Configuration of the M-Series Appliance. Register Panorama and Install Licenses. Install Content and Software Updates for Panorama. Set up the M-Series Appliance as a Log Collector.
Configure a Collector Group. Add the Log Collector to its new Collector Group and assign firewalls to the Log Collector. When you commit the Collector Group configuration, Panorama starts redistributing logs across the Log Collectors. This process can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama > Collector Groups page, the Redistribution State column indicates the completion status of the process as a percentage.

Related Documentation