Symptom
- The /opt/panlogs disk partition is high
> show system disk-space Filesystem Size Used Avail Use% Mounted on /dev/root 7.0G 4.1G 2.6G 62% / none 3.2G 92K 3.2G 1% /dev /dev/sda5 16G 2.4G 13G 16% /opt/pancfg /dev/sda6 8.0G 3.2G 4.4G 43% /opt/panrepo tmpfs 2.2G 1.7G 492M 78% /dev/shm cgroup_root 3.2G 0 3.2G 0% /cgroup /dev/sda8 125G 115G 3.7G 97% /opt/panlogs <----- Shows above 95%
Environment
- Palo Alto Firewall
Resolution
- To reduce disk usage instantly, delete all logs for a given log type (logs can not be deleted according to the date).
- The following logs can be cleared
- Traffic logs
- Threat, URL, and Data Logs
- Configuration logs
- System logs
- HIP Match logs
- GlobalProtect logs
- Alarm logs
- Tunnel, GTP logs
- User-ID logs
- IP-Tag logs
- Authentication logs
- Decryption logs
- ACC database (CLI command only)
- SCTP logs (CLI command only)
Clear logs via the WebGUI
- Device > Log Setting > Scroll down to Manage Logs.
- Click the log type you want to clear and click YES to confirm the request.
Clear logs via the CLI
- Log into CLI
- Use the clear log command to clear the log type you want, then confirm.admin@PAN> clear log > acc ACC database > alarm Alarm logs > auth Authentication logs > config Configuration logs > decryption Decryption logs > globalprotect GlobalProtect logs > gtp Tunnel and GTP logs > hipmatch Hipmatch database > iptag Iptag logs > sctp SCTP logs > system System logs > threat Threat logs > traffic Traffic logs > userid User-ID logs (Example clearing hipmatch log) admin@PAN> clear log hipmatch Hipmatch database will be removed. Do you want to continue? (y or n) Note: Clearing the threat log also clears the URL log.
If none of the above remediation steps resolve the issue, it is recommended to collect the following Troubleshooting Data below and open a Support Case.
- Collect Tech Support File (GUI: Device > Support Click Generate Tech Support File)
- Collect the output of the CLI show system disk-space
Additional Information
- To prevent logs from filling up /opt/panlogs Disk quota can be utilized and adjusted. (Device > Setup > scroll down to Logging and Reporting Settings)
- Logs are purged when the quota is exceeded, so it is recommended not to allocate more than 95% of the space to allow some buffer space. Set the “Max Days” (Retention Period) so that log purging operation works seamlessly and prevents the disk from filling up. See How to Determine How Much Disk Space is Allocated to Logs
Ref: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSjCAK