Panorama Log Storage Calculation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama Log Storage Calculation

L4 Transporter

Ok so I guess my logs dont even collect for 24 hours due to my log storage being about 7GB. Silly people who set this up I swear. So I am trying to figure out how much I do need. 

 

I have a PA-500, PA-820, PA-3050 (x2, they are HA pair) and a PA-3020.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-Guide/ta-p/72181

 

 

Now this article shows how many logs per second, but how do I determine what my log collection per day is? I assume its based on what logs I am collection and what sev level correct?

 

 

11 REPLIES 11

L2 Linker

yes it does. Having an logging enviroment with alot of quick sesions, will fill that up a lot quicker than an enviroemtn with not many sesions that move alot of data. 

 

for my enviroment 500gb is a bit over a month of data. 120gb was around a week, but we log every rule, and have multiple DMZ zones. 

 

If you are running in legacy mode, you can only have 1 dedicated log disk, and if you need to change it, you loose all logs and start over. if you are running in "panorama" mode you have more flexabiltiy to add or remove disks. 

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/pan...

I believe in a normal install, loging is part of the install disk, so you can easly add a dedicated disk easly without losing logs in any mode. 

 

legacy mode vs Panorama mode? I am not sure what the differences are or how I tell?

Most likely you are in legacy mode,.. Panorama has some steep CPU requirements. (24 I beleive) 

 

to check the mode you are in, from a SSH sesion run the following command. 

 

> show system info

 

at the bottom you should see this line, 

 

platform-family: pc
system-mode: legacy
operational-mode: normal
num-cpus: 4
ram-in-gb: 4

 

Yes, says legacy. With that what is the difference though? Do I get less features with legacy mode?

Here is a link with the diffrences. 

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/pan...

mostly its just the volume of logs, and the size of disk supported. (8TB vs 24TB)

Do you have a single install disk on your VM, or two?

 

Is there anyway to figure this out through CLI? I do not have any visibility into vCenter being the Network guy...::insert eye roll emoji here::

In the CLI you can run the command

 

show system disk-space

 

the disks will start with sda, then the second will be sdb. if you have an sdb than you do have an dedicated log disk. 

 

you can also do a 

show system disk-partition

 

to see the partion sizes. 

Looks like one disk currently.

 

Filesystem Size Used Avail Use% Mounted on
/dev/sda2        4.0G 2.4G 1.5G 62% /
/dev/sda5        24G 6.4G 17G 29% /opt/pancfg
/dev/sda6        4.0G 2.4G 1.4G 64% /opt/panrepo
tmpfs               2.0G 110M 1.9G 6% /dev/shm
cgroup_root    2.0G 0 2.0G 0% /cgroup
/dev/sda8       12G 5.0G 6.4G 44% /opt/panlogs

 

Looks like it will be easy. you just need to add a disk, and your logs will be automaticly moved over. 

 

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/set-up-panorama/set-u...

 

I just need to figure out how much space I need. Any tips trying to "guesstimate" that?

I can give you a guess,.. the document you linked has the best info. 

 

But how much bandwidth do you puch thought the device? do you log everything? how about how many Zones do you have?

 

I personaly wouldnt want less then 100gb.. storage is cheap these days and most server VM enviroments should be able to support that without batting an eye.  Just a guess without knowing the enviroment, and the amount of gear you listed. I would want at least 500gb, 750 to 1tb would be a dream, but thats a fight you got to have with your server guys!

  • 7769 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!