Log Database Quota Discrepancy Between Panorama Web Interface and CLI
27552
Created On 05/02/19 09:13 AM - Last Modified 06/24/19 14:33 PM
Symptom
In the Panorama web interface, detailed logs are configured at 60% for instance 992GB (Collector Group tab > Log Storage setting).
NOTE: This can be applied to any firewall.
However, the CLI shows that the allocation is 164GB, which is equal to 40 days, after running the following command:
> show system logdb-quota
...
Slot:0
Quotas:
detailed: 60.00%, 164 GB Expiration-period: 0 days
summary: 30.00%, 82 GB Expiration-period: 0 days
infra_audit: 5.00%, 14 GB Expiration-period: 0 days
platform: 0.10%, 0 GB Expiration-period: 0 days
external: 0.10%, 0 GB Expiration-period: 0 days
Environment
Any Panorama or firewall platform after upgrading to PAN-OS 8.0+
Cause
The Panorama web interface shows a different value than in CLI for the detailed firewall logs that are located in the log storage settings for collector. This is caused by internal calculations not from an anomaly.
We have two log-db implementations after PAN-OS 8.0. The original implementation with log-db displayed data is based on VLD disk usage. The newer implementation with Elasticsearch has a different way of displaying the results, and it is necessary to verify the VLD and Elasticsearch in order to see accurate information on CLI.
In addition, Elasticsearch indices are purged when 88% of the disk quota is hit. This is done to prevent the entire disk from being available.Resolution
This is expected behavior. It is working by design, since this change was added after PAN-OS 8.0.
In PAN-OS 8.0, the quota (byte size) has to be combined with commands when viewed from the CLI.
> show system logdb-quota
+
> show system search-engine-quota
Additional Information
For additional information, please review the following article on HOW DISK SPACE IS ALLOCATED ON LOG COLLECTORS.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5aCAC