How to Eliminate Alarm Message: Log Database Exceeds Alarm Threshold Value

Printer Friendly Page

Symptom

Here is an example of a full alarm message:

Current size (57197 MB) of traffic log database exceeds alarm threshold value(90%) of total allowed size(63072 MB).

 

Issue

  • Logs are purged when the quota size is exhausted, which is why it has been recommended to set the overall quota to ~90% of the full disk. It is not a requirement to save space, but it is recommended to improve performance.
  • Logs are purged to keep the log file as close to full as possible. If a partition is set to 100MB, the logs are not purged until the log file is 100% full (100MB+). The usage can be over the quota because indexing will take up space, but it does not use the purging mechanism as the normal log writes. If the index takes place, but no new logs come in, the usage can be over the quota, for example over 100MB, until the next log is written.  Once the next log is written, the system will purge enough logs and index files to get below the quota.
  • If the amount of traffic logged is greater than what the firewall can delete this alarm will be generated, as explained above.

 

Turn off the alarm logs. Go to Device > Alarms, under log setting and uncheck the enable alarms check box. Note: This will not eliminate the issue.
step-1.PNG

The other option is to change the log storage size. Go to Device > Setup > Management. Note: This will not address the issue.
Step-2.PNG

 

Resolution

  1. The issue is the logs. Look at the rule logging options. Log only at session End, not at Start, and not at both Start and End. Only use start when troubleshooting, then disable when done.
  2. Next look at any rules that are not needed to log traffic, such as DNS or ICMP, or any clean up rules or others that are not needed.
  3. Disable logging when not needed, which will eliminate the message above.

 

owner: ssastera

Comments

Regarding point #4, if you do not log traffic from the rule, the ACC information will not include the statistics for that traffic.  If the device would still account for the traffic, I'd follow this advice, but my management love the ACC data.

Cheers,

Mike

Hi,

For point 4 of the issue, "If the amount of traffic logged is greater than what the firewall can delete, this alarm will be generated as explained in the above" - what are the reasons why a firewall would be unable to delete sufficient data?

I'm receiving alarms stating,

"Current size(38926 MB) of traffic log database exceeds alarm threshold

value(90%) of total allowed size(38973 MB)"

I'm not creating 38GB of traffic logs per day on this PA-500 - so why is the firewall simply not removing sufficient old logs to make room for the new?

Thanks,

Adrian

If you unchecked the "Enable Alarms" setting would you not be disabling Alarms completely?

I still want alarms just not for the logging threshold.

Thanks

Another option that will eliminate the alarm above without disabling the alarm functions completely is to change the threshold values for the logging alarms to 100%. Since the logs are purged at 90%, raising the threshold to 100% should eliminate the alarm and keep alarms enabled. Also you will still receive the threshold alarm if you cap out your logging (100%), which would indicate an issue with the purge process.

log-threshold.png

Gun-Slinger's post appears to be a real solution rather than the OP.  This acts like a bug to me