Traffig Log database exceeds alarm threshold value(90%) of total allowed size (xxxx) Issue

Reply
Highlighted
L3 Networker

Traffig Log database exceeds alarm threshold value(90%) of total allowed size (xxxx) Issue

Hello Community,

 

Actually I have an issue with traffic log alarm.

 

First,  I want to know more related to traffic log works.

 

Actually the PA has assingned 32% (38.06 GB) of quota.

 

 

In the security rules the flag is check in the option "end the session" and these logs, palo alto sends to external syslog server.

 

 

Why does the traffic log is filling the PA quota so fast ?

What I found it seems like it caused by receiving too much to log and it can't purge the logs fast enough to keep them under the threshold.     
does that sound about right?

 

I run the command "less mp-log ms.log"  and do not found the log is purging, How to do to set up the purge in the logs ?.

 

It sounded like the logs are designed to stay close to the threshold, then purge when it is exceeded.

Is it correct to say the system is designed to keep the log storage close to 90% threshold.
It purges the logs when threshold is exceeded.
When it can not purge logs fast enough it generates the errors.

what do you recomended to solve this issue ?

 

Thanks a lot for your comments.

 

Best Regards

Andres Padilla

 

 


Accepted Solutions
Highlighted
L4 Transporter

Hello Andres,

 

The device will start overwriting the oldest logs automatically when the quota is full, so the drive will always be full as the logs will roll round. The device will still be writing logs to the drive even if you have a log forwarding profile set up. You can always export the logs and then delete them from the device to clear some space. 

 

Logging at session end is a good way of cutting down on logs generated, as well as only logging the rules you need to see i.e you can turn off logging the default deny rule which you might not be interested in. It seems like you are just generating too many logs for the amount of disk space you have in your quota, but personally I wouldn't worry too much about that as you are sending all your logs to a syslog server so you have a copy there which you can archive.

 

hope this helps,

Ben

View solution in original post


All Replies
Highlighted
L4 Transporter

Hello Andres,

 

The device will start overwriting the oldest logs automatically when the quota is full, so the drive will always be full as the logs will roll round. The device will still be writing logs to the drive even if you have a log forwarding profile set up. You can always export the logs and then delete them from the device to clear some space. 

 

Logging at session end is a good way of cutting down on logs generated, as well as only logging the rules you need to see i.e you can turn off logging the default deny rule which you might not be interested in. It seems like you are just generating too many logs for the amount of disk space you have in your quota, but personally I wouldn't worry too much about that as you are sending all your logs to a syslog server so you have a copy there which you can archive.

 

hope this helps,

Ben

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!