topic Re: Different log retention periods in General Topics

Different log retention periods

Retired Member — Fri, 13 Dec 2019 10:24:30 GMT

Hi,

for privacy reasons our customer has different log retention periods. He want's to delete all personally identifiable traffic log for traffic from internal to external to delete after 7 days. Also traffic logs for blocked traffic from externel to internal should be deleted after 7 days. Traffic logs for allowed traffic from externel should never (until disk full) been deleted. Internal server traffic logs should be deleted after 30 days.

Is there any idea, how to resolve this? Panorama doesn't exist. Splunk isn't an option, because there are 20GB of log volume per day.

Thanks

Robert

Re: Different log retention periods

Mick_Ball — Fri, 13 Dec 2019 10:49:34 GMT

is syslog an option here?

some basic grep stuff will pick out required lines and logrotate for archive of specific files.

Re: Different log retention periods

BPry — Fri, 13 Dec 2019 22:40:42 GMT

@Retired Member,

When you start wanting to split how logs are retained your going to have to get them off the box to be processed elsewhere. For what you are asking I would personally setup a Graylog installation and then make sure that all of the required logs are forwarded to the Graylog instance and set a minimal retention on the firewall itself. You can then easily configure these requirements within Graylog to meet your requirements.

Graylog is an open-source and doesn't require that you purchase the Enterprise solution. The open-source solution doesn't have any limitations, but the Enterprise solution is priced on ingest just like Splunk.