Traps logs question for Linux

L1 Bithead

Traps logs question for Linux

Can anyone tell me where log files are generated and stored for Linux installations? We had an incident and I'm not sure if this was due to excessive logging or not. Xinetd was blocked by default policy which started Friday afternoon. Today when we came in one of the drives was full although not sure from what. 

 

I used /opt directory for traps installer and there is now a directory in /opt named Traps with a bunch of folders. only 5GB in space total. 

 

Any assistance would be much appreciated. Using 6.0.1.1475 version for Linux installs.

 

Thank you

Tags (4)
L0 Member

Re: Traps logs question for Linux

Use the command "cytool log collect" which should export the logs to a TGZ you can download.

 

/opt/traps/bin/cytool log collect
L1 Bithead

Re: Traps logs question for Linux

Thank you thomaskoetsier. I guess my question was do logs from blocked traffic or activity get logged in log files directly on the server and if so how large does the repository for logs get or where is it? If it's only 5G then I don't think the logs were the culprit. I wasn't looking to check logs at all I was more curious how large this grows. No changes were made to any configuration of logs etc so whatever default values there are, that is what is set at the moment. 

 

Thanks much!

L4 Transporter

Re: Traps logs question for Linux

@JasonFerris 

 

The agent does not log/record blocked network connections. The quota for the folder that the logs are stored in, is audited on an hourly base.

 

L1 Bithead

Re: Traps logs question for Linux

@efrancis Does this go the same for blocked processes? Xinetd being blocked, would that have generated a ton of logs that are sitting directly on the server? Also when you mention the quota for the folder that logs are stored in is audited hourly, does this mean there are logs on the server that do accumulate or do you mean they are purged to a point after reaching a max size of xGB?

 

Thank you for the replies!

L4 Transporter

Re: Traps logs question for Linux

@JasonFerris 

 

First, I would recommend to reach out to Palo Alto Endpoint support. They are a great team of engineers that can help determine any issues you may be facing. The quota part is for all of the Traps agent folders, which contains the logs. Normally the quarantine folder would the culprit of space being taken up. Again, the support team can help answer these questions, and are available for a remote session, if you think that will resolve the issue faster. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!