07-06-2021 03:27 PM
Dear community!
We are sending logs to cortex data lake and we noticed high traffic volume for the sessions concerning log forwarding, with peaks up to 200GB of data sent.
Do you know if this volume of traffic can be normal?
Also, is there any documentation on how logs are being sent to CDL or how would you troubleshoot this issue?
Thank you in advance!
07-07-2021 09:20 AM
Hello,
Check your log sources for what they are sending. If its the Firewalls, make sure you are only logging at session end. Also you can filter what is sent to the data lake, if you wish to limit the data, but its a data lake so I say the more the merrier.
Regards,
07-07-2021 10:28 AM
If you're a Cortex Pro customer as well, the usage by Data Lake will be high. Just QoS the app on the box, give it a set bandwidth if it's causing troubles. (docs)
07-07-2021 12:46 PM
Hi @Carracido
Over what time do you see these 200 GB peaks or also where? Is this from the ACC tab on the firewall? In that case you might see the end of a session which was open for days or even weeks and these 200 GB were the result of this very long session.
07-08-2021 03:58 PM
Yes, those are sessions that stay alive for over a week.
In some sessions I see also that bytes received from CDL are almost the same as bytes sent from the firewall. Is this because of log acknowledgment? If yes, how possible is so big the ack?
Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
