topic Re: Question Regarding Traffic Log DB Quota in General Topics

Question Regarding Traffic Log DB Quota

anzhari_p — Sat, 26 Jan 2013 04:58:43 GMT

On of our customer, BRI, they found a system alarm which said "traffic log database exceed alarm threshold". Here's the screenshot:

Here's the log quota settings on their box:

Here's their real disk usage:

The question is, what will happen if the traffic log db exceed its threshold? I know from PAN support that if the traffic db exceed tha quota, it will be purged, but I don't know by purged, does that means the whole db is deleted, or the oldest traffic log entry got deleted? Or is it the newest log entry that will got deleted, so there'll be no newer traffic log entry, and the logging stopped?

And by any chance, is it possible to export these log db outside? I managed to re-read the admin guide also and didn't seems to find any clue regarding these.

Thanks before. :smileygrin:

Re: Question Regarding Traffic Log DB Quota

sspringer — Sat, 26 Jan 2013 05:13:35 GMT

Hi,

The purging mechanism works as follows. The quota is checked each time a logdb file is rotated. If the quota threshold is violated then we start deleting logs starting from the oldest until the threshold is no longer exceeded. To see how often the logdb file is rotating, you can review the ms.log file for the following entry "Initing log file with version".

To answer the logdb export question: There is an option to export logs via ftp found in Device -> Scheduled Log Export

I hope this helps clear any doubts. Please let me know if I can help clarify further.

Cheers,

Stefan

Re: Question Regarding Traffic Log DB Quota

anzhari_p — Sat, 26 Jan 2013 07:27:48 GMT

Hi Stefan,

I've tried to export through Device -> Scheduled Log Export, and it seems that it only export the last day traffic log.

I intend to backup the whole log, from the very oldest. Is it possible to do that?

Re: Question Regarding Traffic Log DB Quota

sspringer — Sun, 27 Jan 2013 01:47:44 GMT

I was able to export the entire logdb on 5.0.2 successfully with the following command:

> scp export logdb to root@172.18.32.143:/root/logbackup/firewall-logs.tgz

Alternatively you can export each log type in csv format:

> scp export log traffic start-time equal 2013/01/12@00:00:00 end-time equal 2013/01/26@00:00:00 to root@172.18.32.143:/root/logbackup/logger.csv

root@172.18.32.143's password:

Marking log as exported successfully...

The downside to csv export is that a start and end time must be specified.

You can view the oldest log for each log type with command:

> show log traffic direction equal forward

Time App From Src Port Source

Rule Action To Dst Port Destination

Src User Dst User

===============================================================================

2013/01/13 14:10:55 web-browsing l3-trust 64728 172.18.39.146

webtraffic allow l3-dmz 8080 172.18.38.141

- Stefan

Re: Question Regarding Traffic Log DB Quota

mbutt — Mon, 28 Jan 2013 00:51:20 GMT

Hi,

Here is a good doc on the alarm you mentioned

https://live.paloaltonetworks.com/docs/DOC-2437

It also explains when the logs are purged

Hope this answers your question.

Thank you

Numan

Re: Question Regarding Traffic Log DB Quota

anzhari_p — Wed, 30 Jan 2013 02:54:01 GMT

Stefan,

What's the format of the exported log? Can it be viewed by a simple text editor? I managed to export some of the logdb and tried to open it, but the content seems like a binary files.

Re: Question Regarding Traffic Log DB Quota

sspringer — Wed, 30 Jan 2013 04:47:44 GMT

Hello,

The logs exported with 'scp export logdb' are stored using custom compression to help achieve efficient storage. While the logs cannot be viewed, the db can be imported into another PanOS system.

If it is required to export the logs and view them, I would recommend using the 'scp export log traffic' option. Alternatively, you could use the XML API to retrieve the logs in xml form. For more information on API(Section 2.8 Retrieving Logs):

Cheers,

Stefan