PA-3020 log retention period

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-3020 log retention period

L1 Bithead

Hi Experts,

 

I am quite new to Palo Alto and I have some queries regarding the URL filter log retention, before we can generate user activty reports for browsed URLs for more than two weeks old, but now we can only see URL filter logs up to no more than 4 days.

 

What affects the log retention period and how can we generate a month old User Activity report for a specific user if logs are not present anymore.

19 REPLIES 19

Transfered bytes are irrelevant for logging. Log entries are generated per session so look at seesions counter values. A single http download session which transfer 3Gb means one log entry same as a DNS query for this site which transfers only few bytes.

 

Check the most used rules and see if you log some non relevant sessions like DNS and ICMP or boradcast traffic and similar. 

Reports are basicaly queries on log files for specific information. So they are sort of an extract of log files. And I believe they are stored seperately from log files so they don't affect log retention directly.

 

Community Team Member

Hi @Ernest_James,

 

That's possible.  ACC got a major facelift in PAN-OS 7.0 and some features were added.  Possibly pre-7.0 won't have it.

 

It will basically return the same output as seen in the Reports>Traffic Reports>Security Rules.  As santonic already pointed out you need to check the number of sessions.

 

Cheers !

-Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

@kiwi@santonic

 

I have checked the most used rule but it has been there before. as for the rule with log on start as well seem not to be that used much.

 

Any other suggestions?

Even if it's been there always you can optimise it and turn off logging for non interesting traffic.

 

But to find the source of spike of events: PA FW saves these reports daily. I guess you have to check past reports, find out on which day there was a spike, which rule recorded it and (in the unlikely case you still have logs for that day) you can find out which traffic caused it. If you don't have logs you can check other automated reports and look for possible causes.

 

 

  • 10031 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!