Traffic Logs not showing up on Monitoring Tab

Reply
Highlighted
L1 Bithead

Traffic Logs not showing up on Monitoring Tab

Hi All,

 

Device Type: PA-220

Software Version: 8.0.11-h1

 

Im having an issue with old traffic logs not showing up on the monitoring tab. I can see live logs but if I want to check the logs for the previous day or previous 2 days then nothing shows up. It only goes back to a certain time. We have cleared all the logs on Friday 13 July so that it can start logging new entries. I logged on today wanting to check the logs for yesterday and I could only go back as far as 14:22. If I filter the time to 14:21 then it shows nothing.

 

Are there any known issues like this one for the PA-220?

Is there anyone that faced or facing the same issue?

 

Thank You

Rieyaad

Highlighted
Cyber Elite

@Technical1,

The 220 doesn't have a lot of logging space allocated. Are you sure that these logs aren't simply getting deleted to allow the current logs to actually write? That's likely what you're running into. 

Highlighted
L4 Transporter

Taht should be easy enough to determine, from the CLI execute the command show system logdb-quota

 

Thsi will show the configured quoteas, then the disk usage and number of days retained - if the traffic usage is at or above the quota and only lists 1-2 days retained, you are using all of the allowed log space.

Highlighted
L1 Bithead

Thanks for the responses. I ran the command and this is the result for the traffic logs:

traffic: 28.00%, 1.260 GB Expiration-period: 0 days

traffic: Logs and Indexes: 1.3G Current Retention: 1 days

 

So by looking at that, I can see that the quota for traffic is 1.260GB and the disk usage is 1.3 which is over the quota and the retention is 1 day meaning that it will only show traffic logs for 1 day only?

 

Do you know how I can go about resolving the issue? 

Highlighted
L4 Transporter

A few things you migh tlook into:

you could adjust the quotas (Device -> Setup -> Management, click the gear for Logging and Reporting) to add space to the quota for Traffic - you would likely have to remove it from somewhere else.

or investigate exactly what is creating so much traffic that you are filling that log in one day - it may be illegitimate traffic or a misconfigured system.

or, log less - are there any policies that do not need to be logged? maybe somethign that allows ping, etc? (this one may not be possible due to regulatory reasons, of course)

 

Highlighted
Cyber Elite

@Technical1,

The quota for traffic logs is currently set to 28.00% of your overall disk, which amounts to 1.26 GB of space. The Expiration-period: 0 days simply means that you haven't manually set a expiration date for the logs. Where you see 'current retention' is basically the firewall saying that with the current settings and current log rate it's only able to keep a days worth of traffic. 

A few of the things that you might not have to log, but may be depending on your enviroment. 

- DHCP requests

- DNS requests

- ICMP

- SNMP to Print Servers (Printers are extremely talkative)

Essentially you either up the quota assigned to traffic, or you limit the amount of logs that are generated so that you can have a larger retention period and only have the logs for traffic you actually care about. 

 

As for how you solve it; well that really depends on what your end game here is. Even if you bump up the quota you won't have enough space on your device to allow anywhere near a weeks worth of logs. So you would either need to trim down what's being logged, or utilize Log Forwarding and push all the logs off of the firewall to something like Panorama or Splunk or similar so that you can analyze the logs off the firewall and aren't limited by its minimal storage capacity. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!