How to Clear Logs To Increase Disk Space on a Palo Alto Firewall

Posted on by Summa Lai

Symptom

  • The /opt/panlogs disk partition is high
> show system disk-space

Filesystem      Size  Used Avail Use% Mounted on
/dev/root       7.0G  4.1G  2.6G  62% /
none            3.2G   92K  3.2G   1% /dev
/dev/sda5        16G  2.4G   13G  16% /opt/pancfg
/dev/sda6       8.0G  3.2G  4.4G  43% /opt/panrepo
tmpfs           2.2G  1.7G  492M  78% /dev/shm
cgroup_root     3.2G     0  3.2G   0% /cgroup
/dev/sda8       125G  115G  3.7G  97% /opt/panlogs   <----- Shows above 95%

Environment

  • Palo Alto Firewall

Resolution

  • To reduce disk usage instantly, delete all logs for a given log type  (logs can not be deleted according to the date). 
  • The following logs can be cleared
    • Traffic logs
    • Threat, URL, and Data Logs
    • Configuration logs
    • System logs
    • HIP Match logs
    • GlobalProtect logs
    • Alarm logs
    • Tunnel, GTP logs
    • User-ID logs
    • IP-Tag logs
    • Authentication logs
    • Decryption logs
    • ACC database (CLI command only)
    • SCTP logs (CLI command only)

Clear logs via the WebGUI

  1. Device > Log Setting > Scroll down to Manage Logs.
Clear Logs
  1. Click the log type you want to clear and click YES to confirm the request.
Confirm Clear Logs

Clear logs via the CLI

  1. Log into CLI
  2. Use the clear log command to clear the log type you want, then confirm.admin@PAN> clear log > acc ACC database > alarm Alarm logs > auth Authentication logs > config Configuration logs > decryption Decryption logs > globalprotect GlobalProtect logs > gtp Tunnel and GTP logs > hipmatch Hipmatch database > iptag Iptag logs > sctp SCTP logs > system System logs > threat Threat logs > traffic Traffic logs > userid User-ID logs   (Example clearing hipmatch log) admin@PAN> clear log hipmatch Hipmatch database will be removed. Do you want to continue? (y or n) Note: Clearing the threat log also clears the URL log.
     

If none of the above remediation steps resolve the issue, it is recommended to collect the following Troubleshooting Data below and open a Support Case.

  1. Collect Tech Support File  (GUI: Device > Support  Click Generate Tech Support File)
  2. Collect the output of the CLI show system disk-space 

Additional Information

  • To prevent logs from filling up /opt/panlogs Disk quota can be utilized and adjusted. (Device > Setup > scroll down to Logging and Reporting Settings)
    • Logs are purged when the quota is exceeded, so it is recommended not to allocate more than 95% of the space to allow some buffer space. Set the “Max Days” (Retention Period) so that log purging operation works seamlessly and prevents the disk from filling up. See How to Determine How Much Disk Space is Allocated to Logs

Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSjCAK