This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Logging question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Logging question

jdemares
L1 Bithead

‎04-23-2020 05:05 AM

Greetings, long time listener fist time caller.  

So this question has been brought up several times in my Organization and although I have never spent extensive time looking for a feature, it is always in the back of my mind when I am working on the FW.  So like everyone I tend to use up more than my fair share of syslog/splunk space.  I have cut back on what I am logging and am always up against that when I add new features.  What I am wondering is am I missing some feature that allows you to not log every session?  By that I mean you are logging dropped traffic, someone is attempting some attack, in the logs it might have the same entry 100 times in a minute say.  Is there anyway to say only log the first one?  My understanding is you log something or you don't.  I can log say blocked RDP attempts or not, but I can't say only log the first one or only like 1 out of every 10 identical attempts or anything like that?  I know you can do a lot of this with filters for splunk just wondering if you can do any on the FWs or on Panorama before it is sent to syslog.

Thanks

Joe.   

0 Likes Likes
1 REPLY 1

reaper
Cyber Elite
Cyber Elite

‎04-23-2020 06:28 AM

Hi @jdemares 

 

# set deviceconfig setting logging log-suppression yes

 

This enabled a repeat count for such events, so you only get one log with a repeat count instead of 100 logs 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
(1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2023 - Palo Alto Networks