Different log retention periods

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Different log retention periods

L2 Linker



for privacy reasons our customer has different log retention periods. He want's to delete all personally identifiable traffic log for traffic from internal to external to delete after 7 days. Also traffic logs for blocked traffic from externel to internal should be deleted after 7 days. Traffic logs for allowed traffic from externel should never (until disk full) been deleted. Internal server traffic logs should be deleted after 30 days.

Is there any idea, how to resolve this? Panorama doesn't exist. Splunk isn't an option, because there are 20GB of log volume per day.





L7 Applicator

is syslog an option here?


some basic grep stuff will pick out required lines and logrotate for archive of specific  files.

Cyber Elite
Cyber Elite


When you start wanting to split how logs are retained your going to have to get them off the box to be processed elsewhere. For what you are asking I would personally setup a Graylog installation and then make sure that all of the required logs are forwarded to the Graylog instance and set a minimal retention on the firewall itself. You can then easily configure these requirements within Graylog to meet your requirements. 


Graylog is an open-source and doesn't require that you purchase the Enterprise solution. The open-source solution doesn't have any limitations, but the Enterprise solution is priced on ingest just like Splunk. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!