cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Palo Alto Data Connector failing on storage

David Caddick
Iron Contributor

‎Oct 25 2020 11:41 PM

‎Oct 25 2020 11:41 PM

Palo Alto Data Connector failing on storage

Hi All,

Has anyone else deployed a Log Collector for Palo Alto only to find that it runs out of storage - it's almost like the "Log Collector" itself is not trimming the logs after being parsed thru?

 

This is an OnPrem Linux unit

 

Command from Log Collector blade

sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&s... python cef_installer.py xxxxxxxxxxxxx-==

1,101 Views
0 Likes
3 Replies
Reply
3 Replies
CliveWatson

‎Oct 28 2020 08:09 AM

‎Oct 28 2020 08:09 AM

Re: Palo Alto Data Connector failing on storage

@David Caddick have you tried the troubleshooter?  https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CEF/cef_troubleshoot.py  I think it now advises on disk space issues

0 Likes
Reply
best response confirmed by David Caddick (Iron Contributor)
Roger_Fleming

‎Oct 28 2020 09:29 AM

‎Oct 28 2020 09:29 AM

Solution

Re: Palo Alto Data Connector failing on storage

@David Caddick 

There are two places that you define this depending on the Operating system

 

In the rsyslog.conf file you will see a line like this

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

Or in the /etc/rsyslog.d/50-default.conf

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

 

The fix is to put a # in front of the line and restart the rsyslog server

 

Systemctl restart rsyslog

 

The local file should stop growing

 

tail -f /var/log/syslog or /var/log/messages

1 Like
Reply
David Caddick

‎Oct 28 2020 06:07 PM

‎Oct 28 2020 06:07 PM

Re: Palo Alto Data Connector failing on storage

Thanks @Roger_Fleming@CliveWatson,

 

Great info, thanks for that and I'll report back how we progress on getting this resolved  

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by David Caddick (Iron Contributor)
Roger_Fleming

‎Oct 28 2020 09:29 AM

‎Oct 28 2020 09:29 AM

Solution

Re: Palo Alto Data Connector failing on storage

@David Caddick 

There are two places that you define this depending on the Operating system

 

In the rsyslog.conf file you will see a line like this

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

Or in the /etc/rsyslog.d/50-default.conf

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

 

The fix is to put a # in front of the line and restart the rsyslog server

 

Systemctl restart rsyslog

 

The local file should stop growing

 

tail -f /var/log/syslog or /var/log/messages

View solution in original post

1 Like
Reply