- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-29-2018 05:04 AM
Hi,
I have a client (PA 5220 version 8.0.9) who continuously (every hour) is getting this error message in Monitor -> System: "Number of hints on disk has exceeded 5000 due to log forward failures."
At first we thought it was due to the parameter configured under Device -> Setup -> Management -> Logging and Reporting Settings -> Max Rows in User Activity Report since the value was 5000, but we are no longer sure
We also suspect that it was due to the maximum number of user authentication errors and / or external log elements and we limited the storage of this type of logs. But the alarm is still active
We do not know what is the origin of this error to be able to solve it and let it appear.
Some idea of what is causing this error message and how to fix it.
04-08-2019 11:31 PM
Finally the problem was solved by TAC
As we don´t have an Panorama anymore they activate the HIP Mach parameter: "hipmatch-any" to Panorama (under Device--> Log settings).
After that we check with "debug management-server rawlog_fwd show hint-state" that we have a lot of records in
Number of hints on disk (over 19200) so they clear all this hints with "debug management-server rawlog_fwd clear hints-all" untill reach 0.
We deativate the HIP Match to the Panorama and commit
After that we don´t have more alarms
05-28-2024 09:10 AM - edited 05-28-2024 09:11 AM
Also, if you can restart the log receiver process on Firewall and then delete the log-collector preference list it works fine.
12-09-2018 11:51 PM
12-14-2018 03:59 AM
I tried restarting the log receiver from the root but this didn´t solve the problem.
01-15-2019 09:22 PM - edited 01-15-2019 09:23 PM
Ricardo,
I know it's been over a month now, but were you able to resolve this issue?
I had a 5220 hardware failure on my active/standby pair. I replaced the failed firewall and synced/copied the standby config to the active (my active is the one that died). Now I'm getting these alerts.
My device is registered, license transferred, OS version are same on both firewalls, license number was replaced in Panorama from old to new. Not sure what the deal is.
01-15-2019 11:42 PM
Hi,
Not yet. I see that it is possible this problem is relacionated with Panorama. In my customer Panorama was deactivated but not in the config of the Palo Alto so I was expecting they delete this.
After that and if it don´t work. I´ll apply again the "debug software restart process log-receiver" command.
Regards
02-13-2019 07:37 PM
Not sure if you have already figured this out, if not here is my suggestion and what I did to fix this thing few days back.
I did verify this on my firewall and I see logs are not forwarding to Panoramaa
devicename>debug log-receiver rawlog_fwd statistics global show
There were many drops in the output of the command.
made sure logs log settings are configured to forward the logs to Panorama
but, on the Panorama, under log collector groups we haven't add the firewall under device log forwarding list. that fixed the issue. in fact not immediately because the hints count is something that clear off only when all the logs that were stored on the hints were forwarded to panorama. it will send one log per sencond. the maximum hint count is 20000 by default, but device generate high priority system log when it exceeds 5000. I just waited until until all logs on the hints were written to panorama, however if you want you can clear off the hint count with
devincename> debug log-receiver rawlog_fwd clear hints-all
Hope this helps.
Best regards,
Nagarjuna
02-22-2019 02:09 PM
This has popped up two or three times for me, in the first two it was running a fw that was a higher version than Panorama. My most recent example was running an older version of 8.0.x log collectors against a 8.1.x Panorama and 8.1.x FW.
I would do a show logging-status to see if there is a misconfiguration and make note of the addresses.
Take the results from the prior command:
show netstat all yes | match 10.x.x.x
It should look something like this:
tcp your.firewall.com:50000 10.x.x.x:pan-panorama establshed
If that looks fine, then I would logon to the Panorama CLI and run this command:
show netstat all yes | match 3978 (may be 3798, not at a console)
If it shows an active connection and you are running the exact same version on the fw, panorama or log collectors I would open a case with PA.
I would verify the the time on all devices match and if using log collectors to make sure the dynamic updates are working and all are the same version, otherwise collation will not allow the logs to be processed.
You can try and run this from Panorama to see if it can restart the connection.
request log-fwd-ctrl device SERIALNUMBER start-from-lastack
request log-fwd-ctrl device SERIALNUMBER action stop
request log-fwd-ctrl device SERIALNUMBER action live
request log-fwd-ctrl device SERIALNUMBER action start
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXACA0
04-08-2019 11:31 PM
Finally the problem was solved by TAC
As we don´t have an Panorama anymore they activate the HIP Mach parameter: "hipmatch-any" to Panorama (under Device--> Log settings).
After that we check with "debug management-server rawlog_fwd show hint-state" that we have a lot of records in
Number of hints on disk (over 19200) so they clear all this hints with "debug management-server rawlog_fwd clear hints-all" untill reach 0.
We deativate the HIP Match to the Panorama and commit
After that we don´t have more alarms
10-21-2021 10:02 AM - edited 10-21-2021 10:11 AM
While this is an old thread... wanted to share current experience. PA220's - No Panorama or remote logging enabled. Upgraded to 10.1.2 and within a couple days received the Hints on Disk error. Referencing KB > https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPWtCAO found all "Debug management-server rawlog_fwd" commands result in "Invalid Syntax".
Additionally, the "debug log-receiver rawlog_fwd clear hints-all" ONLY removes 64 entries at a time. Rinse and repeat to achieve '0'.
Any ideas on root cause for Hints on disk and why they do not auto-purge? Since zero-ing out, the number has been growing.
10-21-2021 10:28 AM
Typical... no sooner than posting I find additional info.
Found the following CLI info for v10.1 >> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/cli-command-hierarchy-for-pan-o...
In here there is "debug log-receiver rawlog_fwd set hints-expiration-duration <0-846000>" (default is set to '0')
Asking support for "best-practice" as this is a large range and I'm unclear on the affect of hints in the current environment.
12-03-2021 10:36 AM
Sorry to add to the way back machine, but in case someone comes across this like I did, the fix for me was to uncheck the "Enable log redundancy across collectors".
Panorama > Collector Groups > [your collector group name] > General > uncheck the "Enable log redundancy across collectors".
09-05-2023 05:25 PM
Hi Ricardo,
Is there any impact on clearing the hints count?
05-28-2024 09:10 AM - edited 05-28-2024 09:11 AM
Also, if you can restart the log receiver process on Firewall and then delete the log-collector preference list it works fine.
10-16-2024 12:58 AM
Hi Sir,
Can you share us on how to restart this?
10-16-2024 12:04 PM
Use the commands below
debug software restart process log-receiver
delete log-collector preference-list
This should fix the issue.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!