This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Panorama VM - looking up older logs takes a long time

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama VM - looking up older logs takes a long time

gudmundur
L1 Bithead

‎10-23-2016 11:42 PM

We have a Panorama VM with a 2TB local disk 

 

Looking up recent traffic logs takes a short time

But looking up older logs takes quite a bit longer 

As an example it took 10 minutes to look up logs older than 2016/9/20 05:25:25

I used this as a filter ( time_generated leq '2016/9/20 05:25:25' )

 

When Panorama is working on filtering the logs I dont see any high cpu load.

 

Anyone else noticed this or found a solution  ?

0 Likes Likes
5 REPLIES 5

LCMember1959
L2 Linker

‎10-24-2016 03:04 AM

We started using Panorama a few months ago, and I see the same thing when searching through traffic logs for older entries. We use VMware and the host running Panorama has 4 vCPUs and 4 GB memory. Panorama version is 7.1.4-h2

0 Likes Likes

gudmundur
L1 Bithead
In response to LCMember1959

‎10-24-2016 03:06 AM

We are also using VMWare , 8 GB memory and 4 vCPUs and 7.1.4-h2 , going to upgrade to 7.1.5 tonight.

 

0 Likes Likes

jvalentine
L7 Applicator

‎10-24-2016 12:09 PM

Have you looked at the storage array that is backing the Panorama VM?  You could potentially see a large difference in logging/reporting performance based on factors such as flash vs hdd, dedicated vs shared vs over-subscribed, etc.  

0 Likes Likes

LCMember1959
L2 Linker
In response to jvalentine

‎10-26-2016 06:10 AM

Our Panorama server uses a volume on iSCSI storage (Dell Equallogic) with SAS disks. Everything else on the same storage solution works very fast, so I don't think that it's a bottleneck.

 

0 Likes Likes

Brandon_Wertz
L6 Presenter

‎10-26-2016 07:24 AM - edited ‎10-26-2016 07:56 AM

My company has a VM Pan with 2TB of storage as well and larger searches take minutes for me to run as well.  From my previous SE I was told this is a known issue and if you're having lots of logs or storage that a VM PAN solution is not the way to go.

 

We log anywhere from 80,000,000 to 160,000,000 logs to our panorama daily.  The management CPU is only ever around 10-20% but queries for greater than two weeks ago, especially for more than a day take 5+ minutes.

 

I think Palo's answer is going to be buy M100/500s and stack as needed.  We just deal with it.

0 Likes Likes
  • 3288 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks