09-21-2021 12:31 AM
Hello All,
I am trying to get logs for cortex XDR agent of more than 1 month old, from system and tech support file however not getting any success. Does anyone knows any method by which we can retieve agent logs/tech support logs for more than 1 month old data?
Is it possible to retrieve such logs form cortex XDR agent?
Thanks in adavance.
09-24-2021 05:04 AM - edited 09-24-2021 05:21 AM
Hi Tejasp04,
You can customize the amount of disk space that the cortex xdr agent uses to store logs and information about events. See in your specific case/instace the space you have occupied so far.
By default the disk space for storing logs is 5GB. You can check the config under the agent settings and you can increase it up to 10Gb max APROX.
If you reboot the system the agent is cycling the logging schema in the following way:
The logs are created under folder C:\ProgramData\Cyvera\Logs
Go there and check the files trapsd.log*
The file trapsd.log stores the newest logs.
The file trapsd.log.9.gz stores the oldest ones so the ones that are deleted/cycled first.
Once trapsd.log is full, it is renamed to trapsd.log.0.gz and trapsd.log.0.gz to trapsd.log.1.gz and so on ... so trapsd.log.9.gz is lost
So the log storage and retention period within cortex xdr agent may vary depending upon your config setup, and logs generated by your agent instance.
If agent lost the logs your are looking for. You could go and look for "some" of the logs at Cortex Data Lake in case you have it (the security related logs should be at CDL but not the agent operations related logs). Again depending on your setup there and the volume of logs generated by your xdr agentS, log retention may vary also at CDL.
So please take into account that the log limitation is not related to time but to Space quota on the hard disk which means that the more logs your agent/computer generates, the less time log preservation you will have.
I hope I brought some light to the subject.
KR,
Luis
09-24-2021 05:04 AM - edited 09-24-2021 05:21 AM
Hi Tejasp04,
You can customize the amount of disk space that the cortex xdr agent uses to store logs and information about events. See in your specific case/instace the space you have occupied so far.
By default the disk space for storing logs is 5GB. You can check the config under the agent settings and you can increase it up to 10Gb max APROX.
If you reboot the system the agent is cycling the logging schema in the following way:
The logs are created under folder C:\ProgramData\Cyvera\Logs
Go there and check the files trapsd.log*
The file trapsd.log stores the newest logs.
The file trapsd.log.9.gz stores the oldest ones so the ones that are deleted/cycled first.
Once trapsd.log is full, it is renamed to trapsd.log.0.gz and trapsd.log.0.gz to trapsd.log.1.gz and so on ... so trapsd.log.9.gz is lost
So the log storage and retention period within cortex xdr agent may vary depending upon your config setup, and logs generated by your agent instance.
If agent lost the logs your are looking for. You could go and look for "some" of the logs at Cortex Data Lake in case you have it (the security related logs should be at CDL but not the agent operations related logs). Again depending on your setup there and the volume of logs generated by your xdr agentS, log retention may vary also at CDL.
So please take into account that the log limitation is not related to time but to Space quota on the hard disk which means that the more logs your agent/computer generates, the less time log preservation you will have.
I hope I brought some light to the subject.
KR,
Luis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
