High log DB usage-paloaltonetworks-panos

error
panos
paloaltonetworks
High log DB usage-paloaltonetworks-panos
0

#1

High log DB usage-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
indeni will alert if the log DB utilization of a device is above a high threshold.

Remediation Steps:
More information is available at https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-How-Much-Disk-Space-is-Allocated-to-Logs/ta-p/53828

How does this work?
This alert uses the Palo Alto Networks API to retrieve the current status of the log DBs (the equivalent of running “show system logdb-quota” in CLI).

Why is this important?
The log DB stores a variety of different log types on a Palo Alto Networks device. Most log databases will auto-purge older logs. In many environments, though, such behavior is not desired. Users should know if they are reaching the maximum amount of logs they can retain of a certain type and assess the possible impact.

Without Indeni how would you find this?
An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. The web interface can also be used to check the current status of the log DB utilization.

panos-show_system_logdb-quota

#! META
name: panos-show_system_logdb-quota
description: fetch log utilization
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos

#! COMMENTS
logdb-usage:
    why: |
        The log DB stores a variety of different log types on a Palo Alto Networks device. Most log databases will auto-purge older logs. In many environments, though, such behavior is not desired. Users should know if they are reaching the maximum amount of logs they can retain of a certain type and assess the possible impact.
    how: |
        This alert uses the Palo Alto Networks API to retrieve the current status of the log DBs  (the equivalent of running "show system logdb-quota" in CLI).
    without-indeni: |
        An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. The web interface can also be used to check the current status of the log DB utilization.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::HTTP
url: /api?type=op&cmd=<show><system><logdb-quota></logdb-quota></system></show>&key=${api-key}
protocol: HTTPS

#! PARSER::AWK
BEGIN {
}

#               system: 4.00%, 0.664 GB
/(\d+)%/ {
	logtype=$1
	sub(/\:/, "", logtype)
    usage = $2
    gsub(/[%,]/, "", usage)

    logtags["name"] = logtype

    writeDoubleMetricWithLiveConfig("logdb-usage", logtags, "gauge", "600", usage, "Log Usage", "percentage", "name")
}


palo_alto_networks_high_logdb_usage

package com.indeni.server.rules.library.templatebased.paloaltonetworks

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.NearingCapacityWithItemsTemplateRule
/**
  *
  */
case class palo_alto_networks_high_logdb_usage() extends NearingCapacityWithItemsTemplateRule(
  ruleName = "palo_alto_networks_high_logdb_usage",
  ruleFriendlyName = "Palo Alto Networks Firewalls: High log DB usage",
  ruleDescription = "indeni will alert if the log DB utilization of a device is above a high threshold.",
  usageMetricName = "logdb-usage",
  applicableMetricTag = "name",
  threshold = 95.0,
  alertDescription = "Some log DBs are nearing their quota. The device will automatically purge old logs (per https://live.paloaltonetworks.com/t5/Management-Articles/When-are-Logs-Purged-on-the-Palo-Alto-Networks-Devices/ta-p/53605). This may be a critical issue if these logs are not retained and should be.",
  alertItemDescriptionFormat = "Current log DB utilization is: %.0f%%",
  baseRemediationText = "More information is available at https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-How-Much-Disk-Space-is-Allocated-to-Logs/ta-p/53828",
  alertItemsHeader = "Log DBs Nearing Quota")()