Device Type: PA-220
Software Version: 8.0.11-h1
Im having an issue with old traffic logs not showing up on the monitoring tab. I can see live logs but if I want to check the logs for the previous day or previous 2 days then nothing shows up. It only goes back to a certain time. We have cleared all the logs on Friday 13 July so that it can start logging new entries. I logged on today wanting to check the logs for yesterday and I could only go back as far as 14:22. If I filter the time to 14:21 then it shows nothing.
Are there any known issues like this one for the PA-220?
Is there anyone that faced or facing the same issue?
The 220 doesn't have a lot of logging space allocated. Are you sure that these logs aren't simply getting deleted to allow the current logs to actually write? That's likely what you're running into.
Taht should be easy enough to determine, from the CLI execute the command show system logdb-quota
Thsi will show the configured quoteas, then the disk usage and number of days retained - if the traffic usage is at or above the quota and only lists 1-2 days retained, you are using all of the allowed log space.
Thanks for the responses. I ran the command and this is the result for the traffic logs:
traffic: 28.00%, 1.260 GB Expiration-period: 0 days
traffic: Logs and Indexes: 1.3G Current Retention: 1 days
So by looking at that, I can see that the quota for traffic is 1.260GB and the disk usage is 1.3 which is over the quota and the retention is 1 day meaning that it will only show traffic logs for 1 day only?
Do you know how I can go about resolving the issue?
A few things you migh tlook into:
you could adjust the quotas (Device -> Setup -> Management, click the gear for Logging and Reporting) to add space to the quota for Traffic - you would likely have to remove it from somewhere else.
or investigate exactly what is creating so much traffic that you are filling that log in one day - it may be illegitimate traffic or a misconfigured system.
or, log less - are there any policies that do not need to be logged? maybe somethign that allows ping, etc? (this one may not be possible due to regulatory reasons, of course)
The quota for traffic logs is currently set to 28.00% of your overall disk, which amounts to 1.26 GB of space. The Expiration-period: 0 days simply means that you haven't manually set a expiration date for the logs. Where you see 'current retention' is basically the firewall saying that with the current settings and current log rate it's only able to keep a days worth of traffic.
A few of the things that you might not have to log, but may be depending on your enviroment.
- DHCP requests
- DNS requests
- SNMP to Print Servers (Printers are extremely talkative)
Essentially you either up the quota assigned to traffic, or you limit the amount of logs that are generated so that you can have a larger retention period and only have the logs for traffic you actually care about.
As for how you solve it; well that really depends on what your end game here is. Even if you bump up the quota you won't have enough space on your device to allow anywhere near a weeks worth of logs. So you would either need to trim down what's being logged, or utilize Log Forwarding and push all the logs off of the firewall to something like Panorama or Splunk or similar so that you can analyze the logs off the firewall and aren't limited by its minimal storage capacity.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!