Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Traffic logs only available for last 9 days on PA 3220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic logs only available for last 9 days on PA 3220

L1 Bithead

On my PA -3220 SW version: 10.1.2, /opt/panlogs/ is around 74% and 32 GB space is available out of 126 GB in panlogs.

 I have verified the traffic logs and also generated the user activity report, they only show traffic logs for last 7-9 days. Also, in GUI: Device > Setup > Management >  Logging and Reporting Settings > Log Export and Reporting > Maximum Rows in User Activity report, we changed the value to 1048576 from 5000 but that made no difference.

 

I generated the techsupport file and analyzed the logrcvr.log and found that the traffic logs are being purged on regular basis(find below).

 

mp        logrcvr.log                        2022-08-31 09:26:08   2022-08-31 09:26:08.808 -0500 Checking to purge traffic logtype 
mp        logrcvr.log                        2022-08-31 09:30:00   2022-08-31 09:30:00.481 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 09:45:00   2022-08-31 09:45:00.532 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 09:45:00   2022-08-31 09:45:00.861 -0500 Checking to purge urlsum logtype 
mp        logrcvr.log                        2022-08-31 09:51:44   2022-08-31 09:51:44.398 -0500 Checking to purge threat logtype 
mp        logrcvr.log                        2022-08-31 10:00:00   2022-08-31 10:00:00.875 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 10:15:00   2022-08-31 10:15:00.863 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 10:16:50   2022-08-31 10:16:50.851 -0500 Checking to purge traffic logtype 
mp        logrcvr.log                        2022-08-31 10:30:00   2022-08-31 10:30:00.515 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 10:45:00   2022-08-31 10:45:00.347 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:00:00   2022-08-31 11:00:00.200 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:08:38   2022-08-31 11:08:38.461 -0500 Checking to purge traffic logtype 
mp        logrcvr.log                        2022-08-31 11:15:00   2022-08-31 11:15:00.046 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:30:00   2022-08-31 11:30:00.752 -0500 Checking to purge trsum logtype 
mp        logrcvr.log                        2022-08-31 11:30:00   2022-08-31 11:30:00.826 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:45:00   2022-08-31 11:45:00.907 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 11:51:56   2022-08-31 11:51:56.150 -0500 Checking to purge threat logtype 
mp        logrcvr.log                        2022-08-31 12:00:00   2022-08-31 12:00:00.633 -0500 Checking to purge appstatdb logtype 
mp        logrcvr.log                        2022-08-31 12:03:34   2022-08-31 12:03:34.172 -0500 Checking to purge traffic logtype
logrcvr.log
2022-08-31 09:45:02.489 -0500 Initing log file with version: 3
logrcvr.log
2022-08-31 09:51:44.670 -0500 Initing log file with version: 3
logrcvr.log
2022-08-31 10:16:51.209 -0500 Initing log file with version: 3
logrcvr.log
2022-08-31 11:08:38.767 -0500 Initing log file with version: 3
logrcvr.log
2022-08-31 11:30:02.394 -0500 Initing log file with version: 3
logrcvr.log
2022-08-31 11:51:56.417 -0500 Initing log file with version: 3
logrcvr.log
2022-08-31 12:03:34.479 -0500 Initing log file with version: 3

 

 

 

 

So, I am bit confused that as per KB articles if the storage exceeds 95% on panlogs, then the logs are purged but in my case it is only 74% and still they are being purged on regular basis.

KB articles followed:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSjCAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltoCAC

 

If 32 GB is already available in panlogs with 74% usage, why logs are being purged?

 

The quota settings are attached and are set as default.

 

Regards

Didar Singh Bajwa

1 REPLY 1

Community Team Member

Hi @Didar_Bajwa ,

 

Are you sure you're not confusing the total allocated log storage versus the individual quota for traffic logs ?

 

As you can see in the screenshot the total allocated log storage in this example is 15GB.

However, traffic log specifically only has 4.38 GB available. So it will start purging the traffic logs when 95% of 4.38GB is reached.  That doesn't mean that the entire allocated log storage has reached 95%, just traffic log quota has reached 95%.

 

kiwi_0-1662041294805.png

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1959 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!