Log file quota when is reach 100%

Reply
Not applicable

Log file quota when is reach 100%

Hi,

Can i know when the log space uses 100% of the quota,  will delete the old log to recycle to space, or do PAN just delete portion of the log? if it  only delete a certain percentage of the log , how many percent  of it  will be removed? or it delete the portion of log based on time?

Regards,

Alan

L3 Networker

Re: Log file quota when is reach 100%

By default at about 80% the palo alto will start purging the disk.

Not applicable

Re: Log file quota when is reach 100%

Hi,

Can i know how much data will be purge?

Any command to show in PAN?

L3 Networker

Re: Log file quota when is reach 100%

Hello,

You can try running command 'show system logdb-quota' to determine amount of data being purged.

L2 Linker

Re: Log file quota when is reach 100%

Hello,

This is not very clear on Palo box, since months we have issue that every
week we have alarm indicating that the log was exceeded 80 of the quota, in
fact we want to log all traffics and don’t want to disable logging on some
rules, I monitored during the week the logdb-quota and Palo don’t clear/purge
or delete older log at 80%, we opened a case on Palo support from three weeks
and the only response we get is that we have to disable some logging on our
rules.

So will be grate that Palo clarify this issue and response the question
below:

  • Is Palo box purge/clear or delete older logs or it
    overwrite older logs ?
  • If it  purge/clear
    or delete, how many volume or % ?
  • Is there a specific time that Palo box do this or it do
    it as soon as 80% was reached ?
  • Is there a way to configure Palo box to clear or
    deleted older logs from specific time ? if not way ( this is basic
    configuration of system that have to be available)
  • How can we sort out this issue? Without disabling logging
    on some rules?

Thanks for your answer and help

Highlighted
L5 Sessionator

Re: Log file quota when is reach 100%

Hi,

Please see below and see if that helps answer your questions.

  1. The logs are purged when the quota size is exhausted.  This is why it has been recommended to set the overall quota to ~90% of the full disk.  You do not have to save space, but it is recommended to improve performance.
  2. The logs are purged to keep the log file as close to full as possible. If a partition is set to 100MB, the logs are not purged until the log file is 100% full (100MB+).  The usage can be over the quota because the indexing will take up space, but it does not use the purging mechanism as the normal log writes.  If the index takes place, but no new logs have come in, the usage can be over the quota (over 100MB for example) until the next log is written.  Once the next log is written, the system will purge enough logs and index files to get below the quota.
  3. If the amount of traffic logged is greater than what the firewall can delete, this alarm will be generated as explained in the above.
  4. For deleting the logs partially currently there is no command. you can delete entire logs for example if you go to GUI and Device and manage logs it give you option to delete different logs.

     If you are looking for partially deleting the logs the work around would be If you resize the partition, and commit and then size it back after the commit, you should essentially remove the last the oldest logs.  For example if you have 1 GB of traffic logs,      resize the partition to 500MB, and commit, you will remove the oldest 500MB of logs. 

5. Also if you would like to request a feature to delete logs partially please contact your local SE (Sales Engineer) and he should be able to file an enhancement request for you.


Hope this helps.



Thanks

Numan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!