log forwarding to CDL is generating high traffic volume

Showing results for 
Show  only  | Search instead for 
Did you mean: 

log forwarding to CDL is generating high traffic volume

L3 Networker

Dear community!


We are sending logs to cortex data lake and we noticed high traffic volume for the sessions concerning log forwarding, with peaks up to 200GB of data sent. 


Do you know if this volume of traffic can be normal?

Also, is there any documentation on how logs are being sent to CDL or how would you troubleshoot this issue?


Thank you in advance!





Cyber Elite
Cyber Elite


Check your log sources for what they are sending. If its the Firewalls, make sure you are only logging at session end. Also you can filter what is sent to the data lake, if you wish to limit the data, but its a data lake so I say the more the merrier.


L5 Sessionator

If you're a Cortex Pro customer as well, the usage by Data Lake will be high. Just QoS the app on the box, give it a set bandwidth if it's causing troubles. (docs)

Help the community! Add tags and mark solutions please.

L7 Applicator


Sorry for this question, but could you explain thia again? I don't understand what you are trying to tell us.

L7 Applicator

Hi @Carracido 

Over what time do you see these 200 GB peaks or also where? Is this from the ACC tab on the firewall? In that case you might see the end of a session which was open for days or even weeks and these 200 GB were the result of this very long session.

Yes, those are sessions that stay alive for over a week.


In some sessions I see also that bytes received from CDL are almost the same as bytes sent from the firewall. Is this because of log acknowledgment? If yes, how possible is so big the ack?


Thank you! 

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!