SOLVED

Palo Alto Data Connector failing on storage

%3CLINGO-SUB%20id%3D%22lingo-sub-1817316%22%20slang%3D%22en-US%22%3EPalo%20Alto%20Data%20Connector%20failing%20on%20storage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1817316%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EHas%20anyone%20else%20deployed%20a%20Log%20Collector%20for%20Palo%20Alto%20only%20to%20find%20that%20it%20runs%20out%20of%20storage%20-%20it's%20almost%20like%20the%20%22Log%20Collector%22%20itself%20is%20not%20trimming%20the%20logs%20after%20being%20parsed%20thru%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20an%20OnPrem%20Linux%20unit%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECommand%20from%20Log%20Collector%20blade%3C%2FP%3E%3CP%3E%3CSPAN%3Esudo%20wget%20-O%20cef_installer.py%20%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FCEF%2Fcef_installer.py%26amp%3B%26amp%3Bsudo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FCEF%2Fcef_installer.py%26amp%3B%26amp%3Bsudo%3C%2FA%3E%20python%20cef_installer.py%20xxxxxxxxxxxxx-%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1827938%22%20slang%3D%22en-US%22%3ERe%3A%20Palo%20Alto%20Data%20Connector%20failing%20on%20storage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1827938%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3Bhave%20you%20tried%20the%20troubleshooter%3F%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDataConnectors%2FCEF%2Fcef_troubleshoot.py%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDataConnectors%2FCEF%2Fcef_troubleshoot.py%3C%2FA%3E%26nbsp%3B%20I%20think%20it%20now%20advises%20on%20disk%20space%20issues%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1828426%22%20slang%3D%22en-US%22%3ERe%3A%20Palo%20Alto%20Data%20Connector%20failing%20on%20storage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1828426%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20places%20that%20you%20define%20this%20depending%20on%20the%20Operating%20system%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20rsyslog.conf%20file%20you%20will%20see%20a%20line%20like%20this%3C%2FP%3E%0A%3CP%3E*.*%3Bauth%2Cauthpriv.none%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%2Fvar%2Flog%2Fsyslog%3C%2FP%3E%0A%3CP%3E*.*%3Bauth%2Cauthpriv.none%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%2Fvar%2Flog%2Fmessages%3C%2FP%3E%0A%3CP%3EOr%20in%20the%20%2Fetc%2Frsyslog.d%2F50-default.conf%3C%2FP%3E%0A%3CP%3E*.*%3Bauth%2Cauthpriv.none%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%2Fvar%2Flog%2Fsyslog%3C%2FP%3E%0A%3CP%3E*.*%3Bauth%2Cauthpriv.none%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%2Fvar%2Flog%2Fmessages%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20fix%20is%20to%20put%20a%20%23%20in%20front%20of%20the%20line%20and%20restart%20the%20rsyslog%20server%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESystemctl%20restart%20rsyslog%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20local%20file%20should%20stop%20growing%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Etail%20-f%20%2Fvar%2Flog%2Fsyslog%20or%20%2Fvar%2Flog%2Fmessages%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi All,

Has anyone else deployed a Log Collector for Palo Alto only to find that it runs out of storage - it's almost like the "Log Collector" itself is not trimming the logs after being parsed thru?

 

This is an OnPrem Linux unit

 

Command from Log Collector blade

sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&s... python cef_installer.py xxxxxxxxxxxxx-==

3 Replies

@David Caddick have you tried the troubleshooter?  https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CEF/cef_troubleshoot.py  I think it now advises on disk space issues

best response confirmed by David Caddick (Frequent Contributor)
Solution

@David Caddick 

There are two places that you define this depending on the Operating system

 

In the rsyslog.conf file you will see a line like this

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

Or in the /etc/rsyslog.d/50-default.conf

*.*;auth,authpriv.none          -/var/log/syslog

*.*;auth,authpriv.none          -/var/log/messages

 

The fix is to put a # in front of the line and restart the rsyslog server

 

Systemctl restart rsyslog

 

The local file should stop growing

 

tail -f /var/log/syslog or /var/log/messages

Thanks @Roger_Fleming@CliveWatson,

 

Great info, thanks for that and I'll report back how we progress on getting this resolved