- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-28-2025 07:47 AM
Hello Cortex Team,
On one of our server endpoint, the Dump folder located on the path : ProgramData\Cyvera\LocalSystem\Dump is taking a lot of space.
We already tried to clear the database of said agent, no difference. (see screenshot before and after)
The endpoint does not enough free space to generate the supportfile.
Please Could you explain the reason behind these dumps and if it's safe to remove them?
Thanks in advance for your assistance.
Best regards.
02-14-2025 05:44 AM
Hello Nar,
As we were not able to delete the dump file via cortex manager or locally on the endpoint., we have opened a TAC case and the resolution was :
--------
we noticed that the agent is consuming high disk space
Running the following steps allow to remove the dump file :
1. Stop protection using the command:
```cmd
cytool protect disable
```
Run this command in CMD as Administrator from the path:
C:\Program Files\Palo Alto Networks\Traps
2. Try deleting the file while keeping a backup.
3. Once done, restart protection using:
```cmd
cytool protect enable
--------
Thank you and best regards.
01-29-2025 12:39 AM
Thank you for writing to LC!
Path: ProgramData\Cyvera\LocalSystem\Dump is a place where the agent stores Alerts, incident dumps and technical support files.
So if this space if filling up rapidly then I am guessing there might be too many incidents generated within short time which may need to be looked at, that being agent has auto purge mechanism where the disk space utilization is automatically managed by the agent based on the settings configured in the Agent Settings profile.
So to simply answer your question, Yes, its safe to clear the database and manually remove those dumps as a part of troubleshooting but if the issue persists then this needs TAC attention to understand the exact cause for permanent fixes hence please raise a support ticket to advise you on your break-fix issue.
Please select Accept as Solution If you found this answer helpful.
Best,
01-30-2025 04:36 AM
Hello Nar,
Thank you for your feedback and explanation provided.
Indeed, it's currently set to "full" for this server, though customer has no issues with other endpoints.
Based on the manual, what do "Small" and "Medium" actually mean? We are happy to set up a specific policy for this endpoint, but we'd like to understand the difference.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...
*When the Cortex XDR agent raises alerts on process-related activity on the endpoint, the Cortex XDR agent collects the contents of memory and other data about the event in what is known as an alert data dump file. You can customize the Alert Data Dump File Size—Small, Medium, or Full (the largest and most complete set of information)—and whether to Automatically Upload Alert Data Dump File to Cortex XDR. During event investigation, if automatic uploading of the alert data dump file was disabled, you can manually retrieve the data.
Thanks again for your help on this matter.
Best regards
01-30-2025 07:08 PM
Hi @RomainCouvreur
Thanks for the update!
The agent disk space allocation is managed by the setting 3 - (Windows, Mac, and Linux only) Configure the Disk Space to allot for Cortex XDR agent logs. described in the agent setting profile and I was referring to that setting so generally if the allocation is set to default 5,000 MB then the agent with auto purge mechanism ideally manages the data within that allocation.
If that is not happening then we should understand whats the exact reason which needs thorough investigation of the support files hence please raise a support ticket to find that out.
Regarding the other setting- I suggest please leave it "Default - Full" - which means agent collects complete set of information including contents of memory and other data about the event necessary for the complete Incident investigation otherwise we might miss some data collection of that Incident if we set to Small or Medium.
Give it a like & select Accept as Solution If you found this answer helpful.
Best,
02-03-2025 02:46 AM
Hello,
The agent log disk quota is actually 2GB (instead of the default 5GB).
The dump files are taking almost all the available space and customer is not in a position to add extra space at this moment.
Is there a way to manually clear at least some of these files as the clear the database of said agent doesn t make any difference ?
Thanks again for your help on this matter.
Best regards
02-14-2025 05:44 AM
Hello Nar,
As we were not able to delete the dump file via cortex manager or locally on the endpoint., we have opened a TAC case and the resolution was :
--------
we noticed that the agent is consuming high disk space
Running the following steps allow to remove the dump file :
1. Stop protection using the command:
```cmd
cytool protect disable
```
Run this command in CMD as Administrator from the path:
C:\Program Files\Palo Alto Networks\Traps
2. Try deleting the file while keeping a backup.
3. Once done, restart protection using:
```cmd
cytool protect enable
--------
Thank you and best regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!