XDR Agent Quota Exceeded

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR Agent Quota Exceeded

L0 Member

Hello, 

 

We receive numerous alerts of "XDR agent quota exceeded on ****"

I understand this means that the default storage is being exceeded but what exactly does that entail?

 

1. Are the old logs not being overwritten in time causing the alert to set off since the space has been exceeded? is it actually going over the default space or is there a hard stop where logs wont be collected?

2. Does cortex generate this alert any time an old log is overwritten?

3. Is there anyway to stop these alerts from happening without increasing the storage space?

5 REPLIES 5

L3 Networker

Hi,

 

Thanks reaching out LV.

 

This message usually refers to the agent quota setting that is defined in the agent settings profile, being the default disk space allocated for agent logs is 5000MB, you can increase it up to 10,000 by creating a new agent settings profile. 

 

Older logs will be overwritten but not all them at the same time.

 

If you feel this resolved your doubt, please mark is as solution.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

We have deleted the old logs out of the system but we are still receiving the alerts. Is there a way to fix the "agent quota exceeded" without increasing the disk space?

Would anyone know the answer to this?


2. Does cortex generate this alert any time an old log is overwritten?

... and to this:

Does this condition (of exceeding the "quota" result in any negative impact on functionality or performance, such as failure to generate alerts and incidents? (Which may be the case in our environment thanks to inexplicable such failures.)

Thanks!

L5 Sessionator

Hello @T.Kepinski ,

 

Greetings for the day.

 

The "XDR Agent quota exceeded" alert indicates that the local storage allocated for the agent's security data—such as forensic data, quarantined files, and EDR telemetry—has reached its configured limit.

 

1. Log Overwriting and Data Collection

When the quota is reached, the agent operates on a First-In, First-Out (FIFO) basis, automatically deleting the oldest data to make room for new data.

  • Is it a hard stop?
    Not initially. The agent continues to protect the endpoint even after the quota is exceeded. However, if data is generated faster than it can be purged, or if communication issues prevent the agent from uploading data to the management console, the agent may enter a PARTIALLY_PROTECTED state and stop collecting EDR data.
  • Purge Delay:
    By default, the agent checks and enforces the directory quota every 1 hour. If a large amount of data is generated before the next scheduled purge cycle, the quota exceeded alert may be triggered.

2. Alert Generation

The alert is generated to notify administrators that the agent has reached its configured storage limit and is actively enforcing its internal quota by pruning older data. This is expected behavior and serves as an informational notification.

3. Managing Alerts Without Increasing Storage

If you prefer not to increase the disk quota, consider the following approaches:

  • Policy Tuning:
    Review high-frequency detections or processes generating excessive data and tune the relevant security profiles or allow trusted files where appropriate to reduce unnecessary logging.
  • Alert Exclusions:
    Create an alert exclusion rule for the "Quota Exceeded" alert if you want to suppress these notifications from appearing in the console.
  • Forced Cleanup:
    Temporarily reduce the configured disk quota (for example, to 100 MB) to force the agent to immediately purge older data. Once cleanup is complete, restore the original quota value.
  • Manual Cleanup (Windows):
    If required, you can manually clear the prevention archive after disabling self-protection.

    Disable file protection:"C:\Program Files\Palo Alto Networks\Traps\cytool" protect disable file

Delete the files under:C:\ProgramData\Cyvera\Prevention
Re-enable file protection:"C:\Program Files\Palo Alto Networks\Traps\cytool" protect enable file
 
-To verify the current event collection status and disk usage, run:"C:\Program Files\Palo Alto Networks\Traps\cytool" event_collection query
 

Note: If the issue persists despite these steps, we recommend opening a support case for further investigation and analysis of the agent logs.

 

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

AI response? (A wall of pretty text not really answering the question.)

(Yes, I easily get grumpy... lol)

  • 1345 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!