Filtering the monitoring log fails endlessly

Reply
L1 Bithead

Filtering the monitoring log fails endlessly

Pretty often seemingly simple monitor filters seem to get our PA devices in an endless loop.

 

For example:

( rule eq management_services ) and !( addr.dst in a.b.c.d ) and ( app eq ms-sms )

 

will never succeed. The fitering start running, shows a couple of matching results, screen goes blank and starts over indefinetly.

 

Please advise.

Community Team Member

Re: Filtering the monitoring log fails endlessly

Hi @mvdven,

 

Try doing a web UI debug to try and find some clues as to what is failing exactly :

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Run-a-PAN-OS-Web-UI-Debug/ta-p/58117

 

Cheers !

-Kiwi.

L1 Bithead

Re: Filtering the monitoring log fails endlessly

Hi,

 

Thanks for the reply. The debug log is something I'm not experienced with so it'd take me hours if not days trying to understand what it may mean or tell me.

I've contacted our IT partner for this issue since we can't contact PA directly.

We've had this issue from the start and throughout all our updates in firmware 8.x.x.

The interesting part is where sometimes/occasionally 'the problem' was not consistently reproduceable, suggesting a caching or memory issue? It typically happens when I want to dig through/evaluate policies if they should be split or created differently. So typically I'm doing multiple different filter queries in a single session / short amount of time. It just so feels like at some point 'something' becomes full/congested and just starts to deteriorate.

 

We have retentions set and several GBs of free space on the appliances, if executing a filter query doesn't require an execessive amount of diskspace, there should be plenty of it to hold the results I'm trying to get out if it.

L1 Bithead

Re: Filtering the monitoring log fails endlessly

Shifting the allocated quotas for specific logs did not resolve the issue. Certain queries simply wont succeed. The PA stays in a loop trying to figure it out, never times out, never shows an error of any kind. At least this situation could use proper error handling: Out of memory? Out of temp table space?

L4 Transporter

Re: Filtering the monitoring log fails endlessly

Hi @mvdven,

 

I have the same issue: https://live.paloaltonetworks.com/t5/General-Topics/Traffic-Log-refreshs-is-broken-when-using-long-f...

I hoped updating to 8.x would resolve this issue (still pending) but obviously not.

We have the problem on a clusterd PA-850 with PAN-OS 7.1.9 - what do you use?

 

Best Regards

Chacko

L1 Bithead

Re: Filtering the monitoring log fails endlessly

Hi @Chacko42,

 

We're currently on 8.0.6 h3.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!