How to Clear Logs To Reduce Disk Space usage on /opt/panlogs

How to Clear Logs To Reduce Disk Space usage on /opt/panlogs

100811
Created On 09/25/18 19:02 PM - Last Modified 03/25/22 19:07 PM


Symptom
  • The /opt/panlogs disk partition is high
> show system disk-space

Filesystem      Size  Used Avail Use% Mounted on
/dev/root       7.0G  4.1G  2.6G  62% /
none            3.2G   92K  3.2G   1% /dev
/dev/sda5        16G  2.4G   13G  16% /opt/pancfg
/dev/sda6       8.0G  3.2G  4.4G  43% /opt/panrepo
tmpfs           2.2G  1.7G  492M  78% /dev/shm
cgroup_root     3.2G     0  3.2G   0% /cgroup
/dev/sda8       125G  115G  3.7G  97% /opt/panlogs   <----- Shows above 95%


Environment
  • Palo Alto Firewall


Resolution
  • To reduce disk usage instantly, delete all logs for a given log type  (logs can not be deleted according to the date). 
  • The following logs can be cleared
    • Traffic logs
    • Threat, URL, and Data Logs
    • Configuration logs
    • System logs
    • HIP Match logs
    • GlobalProtect logs
    • Alarm logs
    • Tunnel, GTP logs
    • User-ID logs
    • IP-Tag logs
    • Authentication logs
    • Decryption logs
    • ACC database (CLI command only)
    • SCTP logs (CLI command only)

 

Clear logs via the WebGUI

  1. Device > Log Setting > Scroll down to Manage Logs.
Clear Logs
  1. Click the log type you want to clear and click YES to confirm the request.
Confirm Clear Logs


 

Clear logs via the CLI

  1. Log into CLI

  2. Use the clear log command to clear the log type you want, then confirm.

    admin@PAN> clear log
    > acc             ACC database
    > alarm           Alarm logs
    > auth            Authentication logs
    > config          Configuration logs
    > decryption      Decryption logs
    > globalprotect   GlobalProtect logs
    > gtp             Tunnel and GTP logs
    > hipmatch        Hipmatch database
    > iptag           Iptag logs
    > sctp            SCTP logs
    > system          System logs
    > threat          Threat logs
    > traffic         Traffic logs
    > userid          User-ID logs
            
          (Example clearing hipmatch log)
    
    admin@PAN> clear log hipmatch
    Hipmatch database will be removed. Do you want to continue? (y or n)
    

    Note: Clearing the threat log also clears the URL log.
     



If none of the above remediation steps resolve the issue, it is recommended to collect the following Troubleshooting Data below and open a Support Case.
  1. Collect Tech Support File  (GUI: Device > Support  Click Generate Tech Support File)
  2. Collect the output of the CLI show system disk-space 


Additional Information
  • To prevent logs from filling up /opt/panlogs Disk quota can be utilized and adjusted. (Device > Setup > scroll down to Logging and Reporting Settings)
    • Logs are purged when the quota is exceeded, so it is recommended not to allocate more than 95% of the space to allow some buffer space. Set the "Max Days" (Retention Period) so that log purging operation works seamlessly and prevents the disk from filling up. See How to Determine How Much Disk Space is Allocated to Logs


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSjCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language