https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-and-system-logs/m-p/436443#M1084 <P>Hi Tejasp04,</P><P>You can customize the amount of disk space that the cortex xdr agent uses to store logs and information about events. See in your specific case/instace the space you have occupied so far.<BR />By default the disk space for storing logs is 5GB. You can check the config under the agent settings and you can increase it up to 10Gb max APROX.<BR />If you reboot the system the agent is cycling the logging schema in the following way:<BR />The logs are created under folder C:\ProgramData\Cyvera\Logs<BR />Go there and check the files trapsd.log*<BR />The file trapsd.log stores the newest logs.<BR />The file trapsd.log.9.gz stores the oldest ones so the ones that are deleted/cycled first.<BR />Once trapsd.log is full, it is renamed to trapsd.log.0.gz and trapsd.log.0.gz to trapsd.log.1.gz and so on ... so trapsd.log.9.gz is lost<BR />So the log storage and retention period within cortex xdr agent may vary depending upon your config setup, and logs generated by your agent instance.<BR />If agent lost the logs your are looking for. You could go and look for "some" of the logs at Cortex Data Lake in case you have it (the security related logs should be at CDL but not the agent operations related logs). Again depending on your setup there and the volume of logs generated by your xdr agentS, log retention may vary also at CDL.<BR />So please take into account that the log limitation is not related to time but to Space quota on the hard disk which means that the more logs your agent/computer generates, the less time log preservation you will have.</P><P>I hope I brought some light to the subject.&nbsp;</P><P>KR,<BR />Luis&nbsp;</P> Fri, 24 Sep 2021 12:21:52 GMT eluis 2021-09-24T12:21:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-and-system-logs/m-p/435417#M1071 <P>Hello All,</P><P>&nbsp;</P><P>I am trying to get logs for cortex XDR agent of more than 1 month old, from system and tech support file however not getting any success. Does anyone knows any method by which we can retieve agent logs/tech support logs for more than 1 month old data?</P><P>&nbsp;</P><P>Is it possible to retrieve such logs form cortex XDR agent?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thanks in adavance.</P> Tue, 21 Sep 2021 07:31:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-and-system-logs/m-p/435417#M1071 tejasp04 2021-09-21T07:31:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-and-system-logs/m-p/436443#M1084 <P>Hi Tejasp04,</P><P>You can customize the amount of disk space that the cortex xdr agent uses to store logs and information about events. See in your specific case/instace the space you have occupied so far.<BR />By default the disk space for storing logs is 5GB. You can check the config under the agent settings and you can increase it up to 10Gb max APROX.<BR />If you reboot the system the agent is cycling the logging schema in the following way:<BR />The logs are created under folder C:\ProgramData\Cyvera\Logs<BR />Go there and check the files trapsd.log*<BR />The file trapsd.log stores the newest logs.<BR />The file trapsd.log.9.gz stores the oldest ones so the ones that are deleted/cycled first.<BR />Once trapsd.log is full, it is renamed to trapsd.log.0.gz and trapsd.log.0.gz to trapsd.log.1.gz and so on ... so trapsd.log.9.gz is lost<BR />So the log storage and retention period within cortex xdr agent may vary depending upon your config setup, and logs generated by your agent instance.<BR />If agent lost the logs your are looking for. You could go and look for "some" of the logs at Cortex Data Lake in case you have it (the security related logs should be at CDL but not the agent operations related logs). Again depending on your setup there and the volume of logs generated by your xdr agentS, log retention may vary also at CDL.<BR />So please take into account that the log limitation is not related to time but to Space quota on the hard disk which means that the more logs your agent/computer generates, the less time log preservation you will have.</P><P>I hope I brought some light to the subject.&nbsp;</P><P>KR,<BR />Luis&nbsp;</P> Fri, 24 Sep 2021 12:21:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-and-system-logs/m-p/436443#M1084 eluis 2021-09-24T12:21:52Z