Importing Logs from a Previous NFS Share to the Current NFS Share

Importing Logs from a Previous NFS Share to the Current NFS Share

12613
Created On 09/26/18 13:51 PM - Last Modified 02/07/19 23:41 PM


Resolution


Overview

This document explains how to move logs from an old NFS share to the current NFS share in use by Panorama. There are two scenarios that will be addressed:

  1. Preparing to change NFS partitions
  2. Partitions have already been changed and need to move old logs from the previous NFS partition

 

Details

Scenario 1: Preparing to change NFS partitions

  1. In the mount point of the existing NFS partition, verify that the following are present:
    drwxr-xr-x 19 nobody nogroup 4096 Dec  1 01:14       logdb
    -rw-r--r--  1 nobody nogroup   12 Jan 13 01:08       .panorama

  2. When ready to change the partition, log forwarding can optionally be stopped for individual devices with the following command:
    > request log-fwd-ctrl action stop device <device serial number>

  3. Copy the .panorama file and logdb directories to the new mount point.
  4. Configure Panorama to use the new NFS mount point.
  5. Verify that logs are present in the Monitoring tab.
  6. If log forwarding was disabled in step 2, re-enable it with the following command:

> request log-fwd-crtl action start device <device serial number>

 

Scenario 2: Panorama has already been pointed to a new NFS mount point, but logs from the previous mount point were never copied over.

In this scenario, the NFS mount point used by Panorama was changed without copying the existing logs as part of the move process. In this case, it is a involved process, but logs can still be copied.

 

Copy the log directories from the old NFS share. Specifically, the path to these directories is:

$NFSdir/$logtype/1

 

Where $logtype is one of the following:

alarm

appstatdb

config

dailythsum

dailytrsum

event

hipmatch

hourlythsum

hourlytrsum

system

threat

thsum

traffic

trsum

userid

weeklythsum

weeklytrsum

 

In the '1' directory for each log type, there will be subdirectories containing data. For example:

/$NFSdir/traffic/1 will contain subdirectories similar to this:

20130717

20130718

20130719

20130720

20130721

20130722

20130723

 

These date-coded subdirectories will need to be copied to corresponding path in the new NFS share (same path, on the new share). The issue is that there will likely be at least one folder for each logtype that has the same date, on both the old and new NFS locations (from the day the migration took place). There is not a way to reconcile, and the user will need to choose which to keep, the logs prior to the NFS change on Panorama or the logs after.

 

Note: This does not account for logging quotas that are enforced on Panorama. If near (or at) the quota for a log types, the old log files copied to the new directory will be purged in accordance with quota enforcement.

 

owner: cstancill
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClvmCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language