Learn about the log filenames and locations that Prisma Access Agent
collects.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
NGFW (Managed by Panorama)
Check the prerequisites for the deployment you're using
Prisma Access Agent on macOS, Windows, or Linux
Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
The debug logging mechanism for the Prisma Access Agent collects debug logs from
critical Prisma Access Agent processes and maintains them on disk. You or someone
on the Palo Alto Networks team can use the logs to identify and fix problems with the
agent. Learn about the log locations, log filenames, crash files, and the verbosity
levels you can optionally set to control the level of data that you want to collect.
You can use the remote log collection capability in the Endpoint Management page (ConfigurationEndpoint Management) to remotely download agent logs without end user
action. For macOS and Windows devices, you can also use start a remote shell session and collect all the agent
logs using the pacli getlogs command on the endpoint.
Log Locations
Prisma Access Agent logs are automatically generated and provide an audit
trail for any user activity on the agent and any change of state of the agent.
The logs are generated and sent to Strata Logging Service. Downloading
the agent logs from ConfigurationEndpoint Management or running the pacli getlogs command on
the endpoint will gather the Prisma Access Agent logs into a log bundle
(.zip file).
On macOS, Windows, and Linux endpoints, Prisma Access Agent are located the logs in the following locations:
In addition, Prisma Access Agent log entries are available in other
locations:
On macOS, you can look in the system logs for Prisma Access Agent
log entries. Ensure you have admin privileges.
Issue the following command in a shell to show the system log entries
within the last number of
minutes:
log show --last <number>m
Issue the following command in a shell to show you the live system
logs:
log stream
You can use the grep command to filter the
logs.
On Windows, debug logs that are rated as Critical or Error are sent to
the Windows system event log, which you can access using the Event
Viewer.
Log Filenames
From the Endpoint Management
page ( ConfigurationEndpoint Management), you can conveniently generate the Prisma Access Agent logs and
download the log bundle to your computer for analysis. This way, you don't have
to physically access an end user's device, and the end user does not have to
manually collect the logs and send them to you.
You can also collect the logs by running the pacli getlogs
command either directly on the endpoint or through the remote shell.
The logs that Prisma Access Agent collects reside in the several folders in the
log bundle. Depending on the operating system on the endpoint, the logs for Prisma Access Agents are structured slightly differently.
For instance, the following image shows an example of the macOS agent log
bundle:
The following image shows an example of the Windows agent log bundle:
The following are examples of logs in the Prisma Access Agent log bundle on
desktop devices.
DLP—Folder that contains Endpoint DLP logs (if enabled on
the endpoint) (macOS and Windows agents only)
Logs—Folder that contains the Prisma Access Agent
system logs and user
logs.
<user>—Folder that contains user-related Prisma Access Agent logs:
pachecker.log—Shows the agent
management token activity
Pacli.log—Shows the command-line
activity for the PACli tool
PAUI_<username>.log—Shows
the activity for the Prisma Access Agent app
DEM—Autonomous DEM logs (if installed on the endpoint)
(macOS and Windows agents only)
System—Folder that contains system-related Prisma Access Agent logs:
ADEM_install_<timestamp>.log and
ADEM_uninstall_<timestamp>.log—Logs
that show installation or installation activity for the
Autonomous DEM
agent. (macOS and Windows agents only)
NetworkManager.log—Logs that show
network activity with forwarding profile rule matches. When
the log exceeds the maximum file size (10.5 MB), the log is
rotated to a numbered log.
PACompliance.log—Logs for HIP
compliance. When the log exceeds the maximum file size (14
KB), the log is rotated to a numbered log.
PAS.log—Logs for the Prisma Access
Service (PASrv), which is the backend service for the Prisma Access Agent. When the log exceeds the maximum
file size (10.5 MB), the log is rotated to a numbered
log.
PrismaAccessAgentLog.etl—Event trace
logs (Windows agents only). When the log exceeds the maximum
file size (26.2 MB), the log is rotated to a numbered
log.
remote-shell.log—Shows any remote
session activity from a remote
shell. (macOS and Windows agents only)
Upgrade_<timestamp>.log—Shows any
upgrade activity for the agent.
Machine Info—Contains information about an endpoint,
such as the firewall rules, system information, route table, net stat log,
ipconfig log (Windows), installed applications log, DNS cache log, and user
groups log. For the macOS agent, the Machine Info logs
are merged under the Logs folder. For the Windows
agent, the MSI Logs folder contains the agent
installation
logs.
Pacli Output—Contains output files generated using the
PACli tool, such as the logs for agent status
(pacli_status.log), agent manager status
(pacli_epm_status.log), and tunnel information
(pacli_tunnel.log). The Pacli
Output folder also includes other logs such as
pacli_traffic_show.log, which shows the traffic
forwarding rules in a forwarding profile, and the
pacli_traffic_log.log, which shows the network
connection (traffic routing) log.
Crash Files
When critical executables crash on your operating system, Prisma Access Agent
creates crash files. You can use development tools to analyze these files to
pinpoint the exact problem in the code. Crash files are not part of the log
bundle, but you find the files in the following locations.
On macOS, crash files are created in the
~/Library/Logs/DiagnosticReports folder. Crash
files with the following naming patterns are created:
PASrv-<yyyy-mm-dd-hhmmss>.ips
PASrv_<yyyy-mm-dd-hhmmss>_<hostname>.crash
On Windows, a crash dump file is created in the
C:\ProgramData\Palo Alto Networks\Prisma Access
Agent\Logs folder. The names of the crash dump file
typically have the following naming pattern:
PASrv.exe.<nnnn>.dmp
On Linux, the core dump file is included in the
Dumps folder of the log bundle. The name of the
core dump file follows this naming pattern:
PASrv_core_<nnnn>.core.
Verbosity Level
(macOS, Windows, and Linux agents)
The Prisma Access Agent logs are available in six levels of verbosity.
You can determine how much detail to include in the agent logs by specifying the
verbosity level.
You can set the verbosity level by running the following commands on the
endpoint:
On macOS:
cd /Applications/Prisma\ Access\ Agent.app/Contents/Helpers
./pacli loglevel set <trace | debug | info | warn | error | critical | off>
On Windows:
cd "C:\Program Files\Palo Alto Networks\Prisma Access Agent"
pacli loglevel set <trace | debug | info | warn | error | critical | off>
On Linux:
pacli loglevel set <trace | debug | info | warn | error | critical | off>
You can ask the user to run the command or use
the remote shell to run the command
on behalf of the user.
The following table shows the verbosity level of the agent logs, from the least
verbose to the most verbose. Each level contains all the levels of verbosity that
come before it.
Verbosity Level
Description
Purpose
Example Entries
off
No debug logging occurs
N/A
N/A
critical
Only critical issues are logged
For errors that might be unrecoverable and require engineering or
support attention
error while trying to run
PASRV/PACLI
Cannot generate the HIP
report
error
All error conditions are logged
For issues that might be fixable with IT support help, such as a
misconfiguration of the agent
connect failed due to
timeout
cannot get audit log entry
{}
warn
All warnings and errors are logged
For errors that don't cause the agent to crash
error while reading from config_file, use
default configuration
epm token rejected
info
All information messages are logged
For IT support
connect succeeded
Received upgrade command
debug
Debug logs (default verbosity level after installation)
For Prisma Access Agent Development
error while reading from config_file entry
{}
OpswatUpdateStatusEvent
received
trace
Trace logs
For Prisma Access Agent Development
Contains actual packets flowing from and to the agent. Highly
verbose.
sending 200 bytes through
tunnel
Sent(HTTP) 300 bytes to
1.1.1.1
The verbosity level is stored in the agent's local database and can be changed by
issuing the following command on the end user's device:
pacli loglevel set <trace | debug | info | warn | error | critical | off>
The change takes effect immediately. You can check the verbosity level by issuing the
following command:
