Forum Discussion
Palo Alto Data Connector failing on storage
Hi All,
Has anyone else deployed a Log Collector for Palo Alto only to find that it runs out of storage - it's almost like the "Log Collector" itself is not trimming the logs after being parsed thru?
This is an OnPrem Linux unit
Command from Log Collector blade
sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py xxxxxxxxxxxxx-==
There are two places that you define this depending on the Operating system
In the rsyslog.conf file you will see a line like this
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
Or in the /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
The fix is to put a # in front of the line and restart the rsyslog server
Systemctl restart rsyslog
The local file should stop growing
tail -f /var/log/syslog or /var/log/messages
3 Replies
There are two places that you define this depending on the Operating system
In the rsyslog.conf file you will see a line like this
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
Or in the /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
The fix is to put a # in front of the line and restart the rsyslog server
Systemctl restart rsyslog
The local file should stop growing
tail -f /var/log/syslog or /var/log/messages
Thanks Roger_Fleming & CliveWatson,
Great info, thanks for that and I'll report back how we progress on getting this resolved
David Caddick have you tried the troubleshooter? https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CEF/cef_troubleshoot.py I think it now advises on disk space issues
