Question Regarding Traffic Log DB Quota

Reply
Highlighted
Not applicable

Question Regarding Traffic Log DB Quota

On of our customer, BRI, they found a system alarm which said "traffic log database exceed alarm threshold". Here's the screenshot:

003.PNG

Here's the log quota settings on their box:

001.PNG

002.PNG

Here's their real disk usage:

004.PNG

The question is, what will happen if the traffic log db exceed its threshold? I know from PAN support that if the traffic db exceed tha quota, it will be purged, but I don't know by purged, does that means the whole db is deleted, or the oldest traffic log entry got deleted? Or is it the newest log entry that will got deleted, so there'll be no newer traffic log entry, and the logging stopped?

And by any chance, is it possible to export these log db outside? I managed to re-read the admin guide also and didn't seems to find any clue regarding these.

Thanks before. :smileygrin:

L4 Transporter

Re: Question Regarding Traffic Log DB Quota

Hi,

The purging mechanism works as follows. The quota is checked each time a logdb file is rotated. If the quota threshold is violated then we start deleting logs starting from the oldest until the threshold is no longer exceeded. To see how often the logdb file is rotating, you can review the ms.log file for the following entry "Initing log file with version".

To answer the logdb export question: There is an option to export logs via ftp found in Device -> Scheduled Log Export

I hope this helps clear any doubts. Please let me know if I can help clarify further.

Cheers,

Stefan

Not applicable

Re: Question Regarding Traffic Log DB Quota

Hi Stefan,

I've tried to export through Device -> Scheduled Log Export, and it seems that it only export the last day traffic log.

I intend to backup the whole log, from the very oldest. Is it possible to do that?

L4 Transporter

Re: Question Regarding Traffic Log DB Quota

I was able to export the entire logdb on 5.0.2 successfully with the following command:

> scp export logdb to root@172.18.32.143:/root/logbackup/firewall-logs.tgz

Alternatively you can export each log type in csv format:

> scp export log traffic start-time equal 2013/01/12@00:00:00 end-time equal 2013/01/26@00:00:00 to root@172.18.32.143:/root/logbackup/logger.csv

root@172.18.32.143's password:

Marking log as exported successfully...

The downside to csv export is that a start and end time must be specified.

You can view the oldest log for each log type with command:

> show log traffic direction equal forward

Time                App             From            Src Port   Source

Rule                Action          To              Dst Port   Destination

                    Src User        Dst User

===============================================================================

2013/01/13 14:10:55 web-browsing    l3-trust        64728     172.18.39.146

webtraffic     allow           l3-dmz          8080      172.18.38.141

- Stefan

L5 Sessionator

Re: Question Regarding Traffic Log DB Quota

Hi,

Here is a good doc on the alarm you mentioned

https://live.paloaltonetworks.com/docs/DOC-2437

It also explains when the logs are purged

Hope this answers your question.

Thank you

Numan

Not applicable

Re: Question Regarding Traffic Log DB Quota

Stefan,

What's the format of the exported log? Can it be viewed by a simple text editor? I managed to export some of the logdb and tried to open it, but the content seems like a binary files.

L4 Transporter

Re: Question Regarding Traffic Log DB Quota

Hello,

The logs exported with 'scp export logdb' are stored using custom compression to help achieve efficient storage. While the logs cannot be viewed, the db can be imported into another PanOS system.

If it is required to export the logs and view them, I would recommend using the 'scp export log traffic' option. Alternatively, you could use the XML API to retrieve the logs in xml form. For more information on API(Section 2.8 Retrieving Logs):

Cheers,

Stefan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!