Oct 25 2020 11:41 PM
Hi All,
Has anyone else deployed a Log Collector for Palo Alto only to find that it runs out of storage - it's almost like the "Log Collector" itself is not trimming the logs after being parsed thru?
This is an OnPrem Linux unit
Command from Log Collector blade
sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&s... python cef_installer.py xxxxxxxxxxxxx-==
Oct 28 2020 08:09 AM
@David Caddick have you tried the troubleshooter? https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CEF/cef_troubleshoot.py I think it now advises on disk space issues
Oct 28 2020 09:29 AM
SolutionThere are two places that you define this depending on the Operating system
In the rsyslog.conf file you will see a line like this
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
Or in the /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
The fix is to put a # in front of the line and restart the rsyslog server
Systemctl restart rsyslog
The local file should stop growing
tail -f /var/log/syslog or /var/log/messages
Oct 28 2020 06:07 PM
Thanks @Roger_Fleming & @CliveWatson,
Great info, thanks for that and I'll report back how we progress on getting this resolved
Oct 28 2020 09:29 AM
SolutionThere are two places that you define this depending on the Operating system
In the rsyslog.conf file you will see a line like this
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
Or in the /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none -/var/log/syslog
*.*;auth,authpriv.none -/var/log/messages
The fix is to put a # in front of the line and restart the rsyslog server
Systemctl restart rsyslog
The local file should stop growing
tail -f /var/log/syslog or /var/log/messages