Root Partition is full due to syslog-tmp files in the tmp folder

Root Partition is full due to syslog-tmp files in the tmp folder

11838
Created On 06/15/20 15:55 PM - Last Modified 08/12/20 01:59 AM


Symptom


  • Unable to access the WebUI due to the full root partition
  • /tmp folder is full of syslogng_tmp_x  files 

Environment


All Model Firewalls on PAN-OS versions prior to PAN-OS 9.1.3

Cause


  • When using SSL/TLS connection forwarding logs to a syslog server, the root disk is getting full of syslogng_tmp files.
  • The syslogng_tmp files are created when the SSL connection is made - if the server certificate has a CRL list.
  • The firewall downloads the CRL file and stores it in the tmp file.
  • The tmp file is not being cleaned up.
  • This can be an issue if the syslog server connection is unstable and is flapping multiple times.

Resolution


Upgrading to 9.1.3 will clean up the syslogng_tmp files via PAN-134979 fix

In order to reduce the number of syslogng_tmp files in PAN-OS releases prior to 9.1.3:
  1. The syslog server connection can be made more stable by adding a keepalive.
  2. Choose a syslog server certificate that doesn't reference a CRL list (i.e. the CRL Distribution Point in the cert parameters)
  3. Correct the communication issue to the syslog server
  4. For manual clean up of the files from root please contact TAC 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008URM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language