Forum Discussion
Solved
Palo Alto Data Connector failing on storage
Hi All, Has anyone else deployed a Log Collector for Palo Alto only to find that it runs out of storage - it's almost like the "Log Collector" itself is not trimming the logs after being parsed thru...
There are two places that you define this depending on the Operating system
In the rsyslog.conf file you will see a line like this
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
Or in the /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
The fix is to put a # in front of the line and restart the rsyslog server
Systemctl restart rsyslog
The local file should stop growing
tail -f /var/log/syslog or /var/log/messages
David Caddick have you tried the troubleshooter? https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CEF/cef_troubleshoot.py I think it now advises on disk space issues