On of our customer, BRI, they found a system alarm which said "traffic log database exceed alarm threshold". Here's the screenshot:
Here's the log quota settings on their box:
Here's their real disk usage:
The question is, what will happen if the traffic log db exceed its threshold? I know from PAN support that if the traffic db exceed tha quota, it will be purged, but I don't know by purged, does that means the whole db is deleted, or the oldest traffic log entry got deleted? Or is it the newest log entry that will got deleted, so there'll be no newer traffic log entry, and the logging stopped?
And by any chance, is it possible to export these log db outside? I managed to re-read the admin guide also and didn't seems to find any clue regarding these.
Thanks before. :smileygrin:
The purging mechanism works as follows. The quota is checked each time a logdb file is rotated. If the quota threshold is violated then we start deleting logs starting from the oldest until the threshold is no longer exceeded. To see how often the logdb file is rotating, you can review the ms.log file for the following entry "Initing log file with version".
To answer the logdb export question: There is an option to export logs via ftp found in Device -> Scheduled Log Export
I hope this helps clear any doubts. Please let me know if I can help clarify further.
I was able to export the entire logdb on 5.0.2 successfully with the following command:
> scp export logdb to firstname.lastname@example.org:/root/logbackup/firewall-logs.tgz
Alternatively you can export each log type in csv format:
> scp export log traffic start-time equal 2013/01/12@00:00:00 end-time equal 2013/01/26@00:00:00 to email@example.com:/root/logbackup/logger.csv
Marking log as exported successfully...
The downside to csv export is that a start and end time must be specified.
You can view the oldest log for each log type with command:
> show log traffic direction equal forward
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User
2013/01/13 14:10:55 web-browsing l3-trust 64728 172.18.39.146
webtraffic allow l3-dmz 8080 172.18.38.141
The logs exported with 'scp export logdb' are stored using custom compression to help achieve efficient storage. While the logs cannot be viewed, the db can be imported into another PanOS system.
If it is required to export the logs and view them, I would recommend using the 'scp export log traffic' option. Alternatively, you could use the XML API to retrieve the logs in xml form. For more information on API(Section 2.8 Retrieving Logs):
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!