Logging question

Reply
Highlighted
L0 Member

Logging question

Greetings, long time listener fist time caller.  

So this question has been brought up several times in my Organization and although I have never spent extensive time looking for a feature, it is always in the back of my mind when I am working on the FW.  So like everyone I tend to use up more than my fair share of syslog/splunk space.  I have cut back on what I am logging and am always up against that when I add new features.  What I am wondering is am I missing some feature that allows you to not log every session?  By that I mean you are logging dropped traffic, someone is attempting some attack, in the logs it might have the same entry 100 times in a minute say.  Is there anyway to say only log the first one?  My understanding is you log something or you don't.  I can log say blocked RDP attempts or not, but I can't say only log the first one or only like 1 out of every 10 identical attempts or anything like that?  I know you can do a lot of this with filters for splunk just wondering if you can do any on the FWs or on Panorama before it is sent to syslog.

Thanks

Joe.   

Highlighted
L7 Applicator

Re: Logging question

Hi @jdemares 

 

# set deviceconfig setting logging log-suppression yes

 

This enabled a repeat count for such events, so you only get one log with a repeat count instead of 100 logs

reaper - PANgurus.com
I drink and I know things
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!