"Number of hints on disk has exceeded 5000 due to log forward failures."

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

"Number of hints on disk has exceeded 5000 due to log forward failures."

L2 Linker

Hi,

 

I have a client (PA 5220 version 8.0.9) who continuously (every hour) is getting this error message in Monitor -> System: "Number of hints on disk has exceeded 5000 due to log forward failures."

 

At first we thought it was due to the parameter configured under Device -> Setup -> Management -> Logging and Reporting Settings -> Max Rows in User Activity Report since the value was 5000, but we are no longer sure

 

We also suspect that it was due to the maximum number of user authentication errors and / or external log elements and we limited the storage of this type of logs. But the alarm is still active

 

We do not know what is the origin of this error to be able to solve it and let it appear.

 

Some idea of ​​what is causing this error message and how to fix it.

1 accepted solution

Accepted Solutions

L2 Linker

Finally the problem was solved by TAC

 

As we don´t have an Panorama anymore they activate the HIP Mach parameter: "hipmatch-any"  to Panorama (under Device--> Log settings).

 

After that we check with "debug management-server rawlog_fwd show hint-state" that we have a lot of records in

Number of hints on disk  (over 19200) so they clear all this hints with "debug management-server rawlog_fwd clear hints-all" untill reach 0.

We deativate the HIP Match to the Panorama and commit

 

After that we don´t have more alarms

View solution in original post

11 REPLIES 11

L1 Bithead
Hi ricardo,
I know this may seem old but would you please provide us with the resolution for your issue?

I tried restarting the log receiver from the root but this didn´t solve the problem.

 

Ricardo, 

 

I know it's been over a month now, but were you able to resolve this issue?  

 

I had a 5220 hardware failure on my active/standby pair.  I replaced the failed firewall and synced/copied the standby config to the active (my active is the one that died).  Now I'm getting these alerts.  

 

My device is registered, license transferred, OS version are same on both firewalls, license number was replaced in Panorama from old to new.  Not sure what the deal is.  

Hi,

 

Not yet. I see that it is possible this problem is relacionated with Panorama. In my customer Panorama was deactivated but not in the config of the Palo Alto so I was expecting they delete this.

 

After that and if it don´t work. I´ll apply again the "debug software restart process log-receiver" command.

 

Regards

Not sure if you have already figured this out, if not here is my suggestion and what I did to fix this thing few days back.

 

I did verify this on my firewall and I see logs are not forwarding to Panoramaa

 

devicename>debug log-receiver rawlog_fwd statistics global show 

 

There were many drops in the output of the command. 

 

made sure logs log settings are configured to forward the logs to Panorama

 

but, on the Panorama, under log collector groups we haven't add the firewall under device log forwarding list. that fixed the issue. in fact not immediately because the hints count is something that clear off only when all the logs that were stored on the hints were forwarded to panorama. it will send one log per sencond. the maximum hint count is 20000 by default, but device generate high priority system log when it exceeds 5000. I just waited until until all logs on the hints were written to panorama, however if you want you can clear off the hint count with 

 

devincename> debug log-receiver rawlog_fwd clear hints-all

 

Hope this helps.

 

Best regards,

Nagarjuna 

L2 Linker

This has popped up two or three times for me, in the first two it was running a fw that was a higher version than Panorama. My most recent example was running an older version of 8.0.x log collectors against a 8.1.x Panorama and 8.1.x FW. 

 

I would do a show logging-status to see if there is a misconfiguration and make note of the addresses. 

 

Take the results from the prior command:

 

show netstat all yes | match 10.x.x.x

 

It should look something like this:

 

tcp your.firewall.com:50000 10.x.x.x:pan-panorama establshed

 

If that looks fine, then I would logon to the Panorama CLI and run this command:

 

show netstat all yes | match 3978 (may be 3798, not at a console)

 

If it shows an active connection and you are running the exact same version on the fw, panorama or log collectors I would open a case with PA. 

 

I would verify the the time on all devices match and if using log collectors to make sure the dynamic updates are working and all are the same version, otherwise collation will not allow the logs to be processed.

 

You can try and run this from Panorama to see if it can restart the connection. 

 

request log-fwd-ctrl device SERIALNUMBER start-from-lastack
request log-fwd-ctrl device SERIALNUMBER action stop
request log-fwd-ctrl device SERIALNUMBER action live
request log-fwd-ctrl device SERIALNUMBER action start

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXACA0

 

 

L2 Linker

Finally the problem was solved by TAC

 

As we don´t have an Panorama anymore they activate the HIP Mach parameter: "hipmatch-any"  to Panorama (under Device--> Log settings).

 

After that we check with "debug management-server rawlog_fwd show hint-state" that we have a lot of records in

Number of hints on disk  (over 19200) so they clear all this hints with "debug management-server rawlog_fwd clear hints-all" untill reach 0.

We deativate the HIP Match to the Panorama and commit

 

After that we don´t have more alarms

L1 Bithead

While this is an old thread... wanted to share current experience.  PA220's - No Panorama or remote logging enabled.  Upgraded to 10.1.2 and within a couple days received the Hints on Disk error.  Referencing KB > https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPWtCAO  found all "Debug management-server rawlog_fwd" commands result in "Invalid Syntax".  

Additionally, the "debug log-receiver rawlog_fwd clear hints-all" ONLY removes 64 entries at a time.  Rinse and repeat to achieve '0'.

Any ideas on root cause for Hints on disk and why they do not auto-purge?  Since zero-ing out, the number has been growing.

L1 Bithead

Typical... no sooner than posting I find additional info.

Found the following CLI info for v10.1  >>  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/cli-command-hierarchy-for-pan-o...

In here there is  "debug log-receiver rawlog_fwd set hints-expiration-duration <0-846000>"  (default is set to '0')

Asking support for "best-practice" as this is a large range and I'm unclear on the affect of hints in the current environment.

L4 Transporter

Sorry to add to the way back machine, but in case someone comes across this like I did, the fix for me was to uncheck the "Enable log redundancy across collectors".

Panorama > Collector Groups > [your collector group name] > General > uncheck the "Enable log redundancy across collectors".

 

RobertShawver_0-1638556563221.png

 

Hi Ricardo,

Is there any impact on clearing the hints count?

  • 1 accepted solution
  • 42367 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!