This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Expedition root directory keeps growing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Expedition root directory keeps growing

stevenjwilliams83
L3 Networker

‎04-17-2019 06:03 AM

I have expanded the root directory like 2 times already and it keeps filling up. So now the expedition gui will not load. 

 

So what is taking all the space?  

 

expedition@pan-expedition:/hdd/PaloLogs$ df -h

Filesystem                       Size  Used Avail Use% Mounted on

udev                             2.9G     0  2.9G   0% /dev

tmpfs                            595M   24M  572M   4% /run

/dev/mapper/Expedition--vg-root  109G  106G     0 100% /

tmpfs                            3.0G     0  3.0G   0% /dev/shm

tmpfs                            5.0M     0  5.0M   0% /run/lock

tmpfs                            3.0G     0  3.0G   0% /sys/fs/cgroup

/dev/sdb                          99G   28G   67G  29% /hdd

/dev/sda1                        472M  109M  340M  25% /boot

tmpfs                            595M     0  595M   0% /run/user/1000

expedition@pan-expedition:/hdd/PaloLogs$

 

I think the "projects" live in the root so it must be large to be taking up that much room so what are some options here?

 

 

/dev/sbd is where the logs from the pan are getting exported.

1 person had this problem.
0 Likes Likes
22 REPLIES 22

dgildelaig
L5 Sessionator
In response to stevenjwilliams83

‎04-29-2019 06:30 AM

I would say that you are still running the syslog server in Expedition and defined it to place the syslog entries in /data

 

Here an example of what we could have as a rsyslog config:

 

 

#####################################################
# Log everything to a per host daily logfile        #
#####################################################

$ModLoad imtcp

### Listeners
$InputTCPServerRun 10514

# specify senders you permit to access
$AllowedSender TCP, 127.0.0.1, 10.11.29.0/24, 172.16.26.0/24, *.paloaltonetworks.com

$template DynaTrafficLog,"/data/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_calendar_day.csv"
*.* -?DynaTrafficLog

If you are exporting the logs to a specific folder, I guess you do not need to be running the syslog service and you do not need to ask the FW to use a logforwarding profile that sends the entries to Expedition.

 

Does it make sense? 

0 Likes Likes

stevenjwilliams83
L3 Networker
In response to dgildelaig

‎04-29-2019 06:38 AM

Yup it sure does. I think I set up syslog hoping to use it but could never figure out the use or the how to. How do you turn this service off? Or do I need to do in the conf file?

0 Likes Likes

dgildelaig
L5 Sessionator
In response to stevenjwilliams83

‎04-29-2019 06:44 AM

expedition@Expedition:~/BUILD# sudo service rsyslog stop

 

Afterwards, modify the config file so it would stop listening the ports. In this case, if Expedition tries to restart the service, it won't capture the data.

 

But, best and in addition, you should stop the log forwarding profile in the firewalls.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks