I have a client (PA 5220 version 8.0.9) who continuously (every hour) is getting this error message in Monitor -> System: "Number of hints on disk has exceeded 5000 due to log forward failures."
At first we thought it was due to the parameter configured under Device -> Setup -> Management -> Logging and Reporting Settings -> Max Rows in User Activity Report since the value was 5000, but we are no longer sure
We also suspect that it was due to the maximum number of user authentication errors and / or external log elements and we limited the storage of this type of logs. But the alarm is still active
We do not know what is the origin of this error to be able to solve it and let it appear.
Some idea of what is causing this error message and how to fix it.
Solved! Go to Solution.
I know it's been over a month now, but were you able to resolve this issue?
I had a 5220 hardware failure on my active/standby pair. I replaced the failed firewall and synced/copied the standby config to the active (my active is the one that died). Now I'm getting these alerts.
My device is registered, license transferred, OS version are same on both firewalls, license number was replaced in Panorama from old to new. Not sure what the deal is.
Not yet. I see that it is possible this problem is relacionated with Panorama. In my customer Panorama was deactivated but not in the config of the Palo Alto so I was expecting they delete this.
After that and if it don´t work. I´ll apply again the "debug software restart process log-receiver" command.
Not sure if you have already figured this out, if not here is my suggestion and what I did to fix this thing few days back.
I did verify this on my firewall and I see logs are not forwarding to Panoramaa
devicename>debug log-receiver rawlog_fwd statistics global show
There were many drops in the output of the command.
made sure logs log settings are configured to forward the logs to Panorama
but, on the Panorama, under log collector groups we haven't add the firewall under device log forwarding list. that fixed the issue. in fact not immediately because the hints count is something that clear off only when all the logs that were stored on the hints were forwarded to panorama. it will send one log per sencond. the maximum hint count is 20000 by default, but device generate high priority system log when it exceeds 5000. I just waited until until all logs on the hints were written to panorama, however if you want you can clear off the hint count with
devincename> debug log-receiver rawlog_fwd clear hints-all
Hope this helps.
This has popped up two or three times for me, in the first two it was running a fw that was a higher version than Panorama. My most recent example was running an older version of 8.0.x log collectors against a 8.1.x Panorama and 8.1.x FW.
I would do a show logging-status to see if there is a misconfiguration and make note of the addresses.
Take the results from the prior command:
show netstat all yes | match 10.x.x.x
It should look something like this:
tcp your.firewall.com:50000 10.x.x.x:pan-panorama establshed
If that looks fine, then I would logon to the Panorama CLI and run this command:
show netstat all yes | match 3978 (may be 3798, not at a console)
If it shows an active connection and you are running the exact same version on the fw, panorama or log collectors I would open a case with PA.
I would verify the the time on all devices match and if using log collectors to make sure the dynamic updates are working and all are the same version, otherwise collation will not allow the logs to be processed.
You can try and run this from Panorama to see if it can restart the connection.
request log-fwd-ctrl device SERIALNUMBER start-from-lastack
request log-fwd-ctrl device SERIALNUMBER action stop
request log-fwd-ctrl device SERIALNUMBER action live
request log-fwd-ctrl device SERIALNUMBER action start
Finally the problem was solved by TAC
As we don´t have an Panorama anymore they activate the HIP Mach parameter: "hipmatch-any" to Panorama (under Device--> Log settings).
After that we check with "debug management-server rawlog_fwd show hint-state" that we have a lot of records in
Number of hints on disk (over 19200) so they clear all this hints with "debug management-server rawlog_fwd clear hints-all" untill reach 0.
We deativate the HIP Match to the Panorama and commit
After that we don´t have more alarms
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!