AIOps Alert "High Log Ingestion rate"

AIOps Alert "High Log Ingestion rate"

2496
Created On 02/16/22 00:09 AM - Last Modified 06/20/23 18:56 PM


Symptom


Alert from AIOps regarding High Log Ingestion rate

Environment


  • PAN-OS
  • AIOps

Cause


Incoming logging rate as retrieved from "show log-collector detail" > 85% of the published max capacity for that platform.

Resolution


High Log Ingestion Rate - Recommendations

The device is experiencing a high log ingestion rate. Review the set of logs being forwarded by the firewall to this collector group and check if any can be pruned. 

 

Some of the logs that might not need to be forwarded are: 

  1. Traffic hitting default security rules - intrazone-default and interzone-default
  2. Logs for DNS traffic
    1. Consider creating a separate rule for DNS traffic and then do not forward logs for this rule. 
  3. User-ID logs that are redundant. (For example, if multiple firewalls are receiving the same set of User-ID mappings from the User-ID Agent, then only one of the firewalls needs to forward the logs to the collector group.)


If number of logs being forwarded cannot be reduced, use KB to accurately size the Log Collector deployment


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNCUCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail