Traffic logs only available for last 9 days on PA 3220

Didar_Bajwa · ‎08-31-2022

On my PA -3220 SW version: 10.1.2, /opt/panlogs/ is around 74% and 32 GB space is available out of 126 GB in panlogs.

I have verified the traffic logs and also generated the user activity report, they only show traffic logs for last 7-9 days. Also, in GUI: Device > Setup > Management > Logging and Reporting Settings > Log Export and Reporting > Maximum Rows in User Activity report, we changed the value to 1048576 from 5000 but that made no difference.

I generated the techsupport file and analyzed the logrcvr.log and found that the traffic logs are being purged on regular basis(find below).

mp        logrcvr.log                        2022-08-31 09:26:08   2022-08-31 09:26:08.808 -0500 Checking to purge traffic logtype 
mp        logrcvr.log                        2022-08-31 09:30:00   2022-08-31 09:30:00.481 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 09:45:00   2022-08-31 09:45:00.532 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 09:45:00   2022-08-31 09:45:00.861 -0500 Checking to purge urlsum logtype 
mp        logrcvr.log                        2022-08-31 09:51:44   2022-08-31 09:51:44.398 -0500 Checking to purge threat logtype 
mp        logrcvr.log                        2022-08-31 10:00:00   2022-08-31 10:00:00.875 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 10:15:00   2022-08-31 10:15:00.863 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 10:16:50   2022-08-31 10:16:50.851 -0500 Checking to purge traffic logtype 
mp        logrcvr.log                        2022-08-31 10:30:00   2022-08-31 10:30:00.515 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 10:45:00   2022-08-31 10:45:00.347 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:00:00   2022-08-31 11:00:00.200 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:08:38   2022-08-31 11:08:38.461 -0500 Checking to purge traffic logtype 
mp        logrcvr.log                        2022-08-31 11:15:00   2022-08-31 11:15:00.046 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:30:00   2022-08-31 11:30:00.752 -0500 Checking to purge trsum logtype 
mp        logrcvr.log                        2022-08-31 11:30:00   2022-08-31 11:30:00.826 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:45:00   2022-08-31 11:45:00.907 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:51:56   2022-08-31 11:51:56.150 -0500 Checking to purge threat logtype 
mp        logrcvr.log                        2022-08-31 12:00:00   2022-08-31 12:00:00.633 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 12:03:34   2022-08-31 12:03:34.172 -0500 Checking to purge traffic logtype

logrcvr.log	2022-08-31 09:45:02	2022-08-31 09:45:02.489 -0500 Initing log file with version: 3
logrcvr.log	2022-08-31 09:51:44	2022-08-31 09:51:44.670 -0500 Initing log file with version: 3
logrcvr.log	2022-08-31 10:16:51	2022-08-31 10:16:51.209 -0500 Initing log file with version: 3
logrcvr.log	2022-08-31 11:08:38	2022-08-31 11:08:38.767 -0500 Initing log file with version: 3
logrcvr.log	2022-08-31 11:30:02	2022-08-31 11:30:02.394 -0500 Initing log file with version: 3
logrcvr.log	2022-08-31 11:51:56	2022-08-31 11:51:56.417 -0500 Initing log file with version: 3
logrcvr.log	2022-08-31 12:03:34	2022-08-31 12:03:34.479 -0500 Initing log file with version: 3

So, I am bit confused that as per KB articles if the storage exceeds 95% on panlogs, then the logs are purged but in my case it is only 74% and still they are being purged on regular basis.

KB articles followed:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSjCAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltoCAC

If 32 GB is already available in panlogs with 74% usage, why logs are being purged?

The quota settings are attached and are set as default.

Regards

Didar Singh Bajwa

kiwi · ‎09-01-2022

Hi @Didar_Bajwa ,

Are you sure you're not confusing the total allocated log storage versus the individual quota for traffic logs ?

As you can see in the screenshot the total allocated log storage in this example is 15GB.

However, traffic log specifically only has 4.38 GB available. So it will start purging the traffic logs when 95% of 4.38GB is reached. That doesn't mean that the entire allocated log storage has reached 95%, just traffic log quota has reached 95%.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Unlock your full community experience!

Traffic logs only available for last 9 days on PA 3220

Traffic logs only available for last 9 days on PA 3220

Show your appreciation!