SOLVED

Palo Alto Data Connector failing on storage

Iron Contributor

Hi All,

Has anyone else deployed a Log Collector for Palo Alto only to find that it runs out of storage - it's almost like the "Log Collector" itself is not trimming the logs after being parsed thru?

 

This is an OnPrem Linux unit

 

Command from Log Collector blade

sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&s... python cef_installer.py xxxxxxxxxxxxx-==

3 Replies

@David Caddick have you tried the troubleshooter?  https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CEF/cef_troubleshoot.py  I think it now advises on disk space issues

best response confirmed by David Caddick (Iron Contributor)
Solution

@David Caddick 

There are two places that you define this depending on the Operating system

 

In the rsyslog.conf file you will see a line like this

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

Or in the /etc/rsyslog.d/50-default.conf

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

 

The fix is to put a # in front of the line and restart the rsyslog server

 

Systemctl restart rsyslog

 

The local file should stop growing

 

tail -f /var/log/syslog or /var/log/messages

Thanks @Roger_Fleming@CliveWatson,

 

Great info, thanks for that and I'll report back how we progress on getting this resolved  

1 best response

Accepted Solutions
best response confirmed by David Caddick (Iron Contributor)
Solution

@David Caddick 

There are two places that you define this depending on the Operating system

 

In the rsyslog.conf file you will see a line like this

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

Or in the /etc/rsyslog.d/50-default.conf

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

 

The fix is to put a # in front of the line and restart the rsyslog server

 

Systemctl restart rsyslog

 

The local file should stop growing

 

tail -f /var/log/syslog or /var/log/messages

View solution in original post