Verify Log Forwarding to Panorama

Verify log forwarding to Panorama once you Configure Log Forwarding to Panorama or to the Cortex Data Lake to test that your configuration succeeded.
After you configure log forwarding to Log Collectors, managed firewalls open a TCP connection to all configured Log Collectors. These connections timeout every sixty (60) seconds and do not indicate that the firewall has lost connection to the Log Collectors. When you configure log forwarding to a local or Dedicated Log Collector over a supported ethernet interface, the firewall traffic logs show
sessions despite the firewall being able to successfully connect to the Log Collectors. If you configure log forwarding over the management port, no traffic logs showing
sessions are generated. Traffic logs showing
sessions are generated by all firewalls except for the PA-5200 and PA-7000 series firewalls.
  1. If you configured Log Collectors, verify that each firewall has a log forwarding preference list.
    show log-collector preference-list
    If the Collector Group has only one Log Collector, the output will look something like this:
    Forward to all: No Log collector Preference List Serial Number: 003001000024 IP Address: IPV6 Address: unknown
  2. Verify that each firewall is forwarding logs.
    show logging-status
    For successful forwarding, the output indicates that the log forwarding agent is active.
    • For a Panorama virtual appliance, the agent is
    • For an M-Series appliance, the agent is a
    • For the Cortex Data Lake, the agent is
      Log CollectionService.
      . And the
      ‘Log Collection log forwarding agent’ is active and connected to
  3. View the average logging rate. The displayed rate will be the average logs/second for the last five minutes.
    • If Log Collectors receive the logs, access the Panorama web interface, select
      Managed Collectors
      and click the
      link in the far-right column.
    • If a Panorama virtual appliance in Legacy mode receives the logs, access the Panorama CLI and run the following command:
      debug log-collector log-collection-stats show incoming-logs
    This command also works on an M-Series appliance.

Recommended For You