PA-3020 log retention period
cancel
Showing results for 
Search instead for 
Did you mean: 

PA-3020 log retention period

L1 Bithead

Hi Experts,

 

I am quite new to Palo Alto and I have some queries regarding the URL filter log retention, before we can generate user activty reports for browsed URLs for more than two weeks old, but now we can only see URL filter logs up to no more than 4 days.

 

What affects the log retention period and how can we generate a month old User Activity report for a specific user if logs are not present anymore.

19 REPLIES 19

Community Team Member

Hi @Ernest_James,

 

The ACC also offers the information on 'Rule Usage' :

 

Rule UsageRule Usage

 

Cheers !

-Kim.

Cyber Elite
Cyber Elite

@Ernest_James Traffic which matches your policy will definitely affect your device.  If possible you might want to modify what you log and when as far as URL logs.

 

For one function my company uses a 3020 pair and we've got logs back before the 20th.  So if you've got a specific requirement it might be worth reallocating storage capacity from one log type to another.

 

 

 

3020_URL Log.JPG3020_Storage.JPG

@kiwi

I do not see rule usage on my ACC, maybe im using a different version.

@Brandon_Wertz

Quotas:
system:                     4.00%, 3.356 GB
config:                      4.00%, 3.356 GB
alarm:                       3.00%, 2.517 GB
appstat:                   6.00%, 5.034 GB
hip-reports:            1.00%, 0.839 GB
traffic:                    32.00%, 26.850 GB
threat:                    16.00%, 13.425 GB
trsum:                      7.00%, 5.873 GB
hourlytrsum:           3.00%, 2.517 GB
dailytrsum:              1.00%, 0.839 GB
weeklytrsum:          1.00%, 0.839 GB
thsum:                     2.00%, 1.678 GB
hourlythsum:          1.00%, 0.839 GB
dailythsum:             1.00%, 0.839 GB
weeklythsum:         1.00%, 0.839 GB
userid:                     1.00%, 0.839 GB
application-pcaps: 1.00%, 0.839 GB
extpcap:                  1.00%, 0.839 GB
debug-filter-pcaps: 1.00%, 0.839 GB
dlp-logs:                   1.00%, 0.839 GB
hipmatch:                 3.00%, 2.517 GB

@santonic

I have checked the Reports>Traffic Reports>Security Rules and found out this:

rules.PNG

Site A has log problems with 4 days worth of user activity logs, Site B which has 30G less than SiteA, can hold up to 3 months of user activity logs.

Please correct me if I am wrong, but Monitor>PDF Reports>User Avtivity Report should be basically text file logs arranged into PDF for better viewing, right? In my opinion, it should not take a lot of space to retain this logs.

Transfered bytes are irrelevant for logging. Log entries are generated per session so look at seesions counter values. A single http download session which transfer 3Gb means one log entry same as a DNS query for this site which transfers only few bytes.

 

Check the most used rules and see if you log some non relevant sessions like DNS and ICMP or boradcast traffic and similar. 

Reports are basicaly queries on log files for specific information. So they are sort of an extract of log files. And I believe they are stored seperately from log files so they don't affect log retention directly.

 

Community Team Member

Hi @Ernest_James,

 

That's possible.  ACC got a major facelift in PAN-OS 7.0 and some features were added.  Possibly pre-7.0 won't have it.

 

It will basically return the same output as seen in the Reports>Traffic Reports>Security Rules.  As santonic already pointed out you need to check the number of sessions.

 

Cheers !

-Kim.

 

@kiwi@santonic

 

I have checked the most used rule but it has been there before. as for the rule with log on start as well seem not to be that used much.

 

Any other suggestions?

Even if it's been there always you can optimise it and turn off logging for non interesting traffic.

 

But to find the source of spike of events: PA FW saves these reports daily. I guess you have to check past reports, find out on which day there was a spike, which rule recorded it and (in the unlikely case you still have logs for that day) you can find out which traffic caused it. If you don't have logs you can check other automated reports and look for possible causes.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!