Root Partition is full due to syslog-tmp files in the tmp folder
11838
Created On 06/15/20 15:55 PM - Last Modified 08/12/20 01:59 AM
Symptom
- Unable to access the WebUI due to the full root partition
- /tmp folder is full of syslogng_tmp_x files
Environment
All Model Firewalls on PAN-OS versions prior to PAN-OS 9.1.3
Cause
- When using SSL/TLS connection forwarding logs to a syslog server, the root disk is getting full of syslogng_tmp files.
- The syslogng_tmp files are created when the SSL connection is made - if the server certificate has a CRL list.
- The firewall downloads the CRL file and stores it in the tmp file.
- The tmp file is not being cleaned up.
- This can be an issue if the syslog server connection is unstable and is flapping multiple times.
Resolution
Upgrading to 9.1.3 will clean up the syslogng_tmp files via PAN-134979 fix
In order to reduce the number of syslogng_tmp files in PAN-OS releases prior to 9.1.3:
- The syslog server connection can be made more stable by adding a keepalive.
- Choose a syslog server certificate that doesn't reference a CRL list (i.e. the CRL Distribution Point in the cert parameters)
- Correct the communication issue to the syslog server
- For manual clean up of the files from root please contact TAC