for privacy reasons our customer has different log retention periods. He want's to delete all personally identifiable traffic log for traffic from internal to external to delete after 7 days. Also traffic logs for blocked traffic from externel to internal should be deleted after 7 days. Traffic logs for allowed traffic from externel should never (until disk full) been deleted. Internal server traffic logs should be deleted after 30 days.
Is there any idea, how to resolve this? Panorama doesn't exist. Splunk isn't an option, because there are 20GB of log volume per day.
When you start wanting to split how logs are retained your going to have to get them off the box to be processed elsewhere. For what you are asking I would personally setup a Graylog installation and then make sure that all of the required logs are forwarded to the Graylog instance and set a minimal retention on the firewall itself. You can then easily configure these requirements within Graylog to meet your requirements.
Graylog is an open-source and doesn't require that you purchase the Enterprise solution. The open-source solution doesn't have any limitations, but the Enterprise solution is priced on ingest just like Splunk.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!