AIOps Alert "Process Memory Depletion - Log Receiver"

AIOps Alert "Process Memory Depletion - Log Receiver"

11343
Created On 02/15/22 21:58 PM - Last Modified 06/11/25 21:10 PM


Symptom


  • Alert from AIOps regarding process memory depletion for "logrcvr"

Environment


  • PAN-OS
  • AIOps

Cause


AIOps has detected a memory depletion in the logrcvr process
 

Resolution


If you receive this Alert, it is recommended to collect the following Troubleshooting Data below and open a Support Case. After data is collected, considering following the Mitigation Steps to bring down the memory usage of the logrcvr process till Support can analyze the data. 

Troubleshooting Data

  1. Collect Tech Support File  (GUI: Device > Support  Click Generate Tech Support File)

  2. Generate a trace file using the following CLI command

debug software trace log-receiver

  1. Generate a core file using following command

debug software core log-receiver

  1. Collect the Device State (GUI: Device>Setup>Operations- Export: Export device state)
  2. Export the core file  (HOW TO EXPORT CORE FILES FROM A PALO ALTO NETWORKS DEVICE)
  3. Gather data below from AIOps
    1. Check the dates indicated by AIOps as to when the memory depletion started.
    2. Check if there were any config modifications, PANOS upgrades/downgrades, or any other changes performed around the time that might have triggered this behavior.
  4. (Optional) If performing Mitigation Steps below, collect another Tech Support File after completing steps
  5. Open a case with the above data.
     

Mitigation Steps

Till the issue is resolved, you can restart the logrcvr process to bring down the memory usage of logrcvr. 
NOTE: Recommended to be performed in a maintenance window
 

Potential Impact of restart the process:

  • All logging functionality handled by logrcvr daemon will not be available during process restart
     

Option 1 (Standalone Device)

From CLI run debug software restart process log-receiver to restart the process

Option 2 (Device in Active/Passive HA)

  1. Disable "Preemptive" mode (GUI: Device > High Availability > General > Election Settings: Uncheck Preemptive )
  2. Failover to the passive device (From Active Device: Device > High Availability > Operations > Click Suspend local device)
  3. Restart configd from the CLI from the now Suspended device (debug software restart process log-receiver)
  4. From CLI run show management-clients to ensure that all processes have started succesfully.
> show management-clients
              Client PRI    State Progress
-------------------------------------------------------------------------
            ha_agent  25     init        0
              sslmgr  10     init        0
               authd  10     init        0
             cryptod  10     init        0
              dagger  10     init        0    (op cmds only)
                cord  10     init        0
                logd  10     init        0    (op cmds only)
             reportd  10     init        0    (op cmds only)
             useridd  10     init        0
        distributord  10     init        0
                Device Securityd  10     init        0
Overall status: init. Progress: 0
Warnings:
Errors:
Note: The logrcvr daemon is available on Panorama and is available for firewall from PAN-OS10.1 onwards.
Note: Restarting the process will temporarily mitigate the issue and the same issue may come back sometimes later.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNC5CAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language