Traffic: Logs and Indexes and Current Retention

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic: Logs and Indexes and Current Retention

L0 Member

Found our that our FW1 only able to keep 4 days of traffic logs but took more space than FW02 which able to log up to 15 days ( previously FW2 in active for around 2 weeks+)

 

FW01

FW02

 

Disk usage:

traffic: Logs and Indexes: 34G Current Retention: 4 days

threat: Logs and Indexes: 18G Current Retention: 6 days

system: Logs and Indexes: 4.7G Current Retention: 837 days

 

FW01(active)> show system disk-space

 

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda3        19G  5.8G   13G  33% /

none            7.7G   60K  7.7G   1% /dev

/dev/sda5        38G  5.2G   31G  15% /opt/pancfg

/dev/sda6        19G   11G  7.0G  61% /opt/panrepo

tmpfs           7.7G  395M  7.3G   6% /dev/shm

cgroup_root     7.7G     0  7.7G   0% /cgroup

/dev/sda8       125G   96G   23G  82% /opt/panlogs

 

 

Disk usage:

traffic: Logs and Indexes: 21G Current Retention: 15 days

threat: Logs and Indexes: 16G Current Retention: 19 days

system: Logs and Indexes: 1.6G Current Retention: 1761 days

 

FW02(passive)> show system disk-space

 

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda3        19G  5.6G   13G  32% /

none            7.7G   60K  7.7G   1% /dev

/dev/sda5        38G  5.3G   31G  15% /opt/pancfg

/dev/sda6        19G   10G  7.8G  57% /opt/panrepo

tmpfs           7.7G  395M  7.3G   6% /dev/shm

cgroup_root     7.7G     0  7.7G   0% /cgroup

/dev/sda8       125G   71G   48G  60% /opt/panlogs

 

 

Meanwhile, please answer the following question below for further checking:

 

  1. Have you made any recent changes or is it a new issue? – notice this issue was quite sometimes
  2. Can you give us the picture error of the issue? – There no error, just the days is lower than fw2, need help to check why this behavior
  3. When did this issue happen? – unsure

 

 

1 REPLY 1

L4 Transporter

Hello Noor_sofia,

 

I don't know if the techsupport files are shared on purpose or not.
Usually, it is something usable by TAC. 
Sharing it here is just exposing your firewalls configuration to a public forum.
The password is encrypted, but a bad actor would be able to trace back to your organisation.

 

Regarding the query : if the FW2 is the passive, it may be normal.
The current retention is a calculated estimation of the retention based on the amount of traffic (the more session you have, the more logs are generated), and the disk space.


Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

  • 1105 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!