Log "Number of hints on disk has exceeded 5000 due to log forward failures."

Hey @BigPalo

Check out the below thread, it seems people have resolved the issue by running the command "debug software restart process log-receiver"

https://live.paloaltonetworks.com/t5/General-Topics/General-PA-5220/m-p/192473#M57806

As for the root cause, are you running Panorama?

Cheers,

Luke.

Yes, we are running Panorama

Hey @BigPalo

Cheers for confirming that. Did you restart the log receiver service and did it resolve the issue?

From what I gather, this problem is caused by the send queue being filled up when attempting to forward logs to Panorama. This can be verified by looking at the netstat output "show netstat" and looking at the "Send Queue" column for a socket open on port 10000.

In Panorama, there are a few best practices that we can look at:

1. Has a log forwarding preference list been configured? Panorama -> Collector Groups -> Device Log Forwarding

2. Is "enable redundancy across log collectors" checked?

3. Is "Forward to all collectors in the preference list" checked?

If options two and three are enabled, without the use of the preference list, then all logs will just be sent to one LC, and this will then be copying the logs to the other LCs anyways - causing a lot of stress. At this point the Panorama will start to throttle logs and this is when you will notice the netstat queues increasing.

Cheers,

Luke.

---

 

In Panorama, there are a few best practices that we can look at:

 

1. Has a log forwarding preference list been configured? Panorama -> Managed Collectors -> Device Log Forwarding

---

@LukeBullimore- I think that setting is under the Collector Groups, not Managed Collectors

Good best practices list - much appreciated!

Hey @JW6224

Whoops yeah that was a typo, I'll correct it now. 

I am still getting this error i ran the command debug restart log receiver

I see PA is conected to Panorama and we have dedicated log collectors

are you still having this issue???