This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-3020 log retention period

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-3020 log retention period

Ernest_James
L1 Bithead

‎12-27-2016 10:59 PM

Hi Experts,

 

I am quite new to Palo Alto and I have some queries regarding the URL filter log retention, before we can generate user activty reports for browsed URLs for more than two weeks old, but now we can only see URL filter logs up to no more than 4 days.

 

What affects the log retention period and how can we generate a month old User Activity report for a specific user if logs are not present anymore.

0 Likes Likes
19 REPLIES 19

santonic
L6 Presenter

‎12-27-2016 11:20 PM

Log retention is affected only by space on disk. When you run out of it PA automaticaly deletes oldest entries in that specific log, whether it's traffic, threat, URL...

You can adjust the reserved space for each type of log in Device -> Setup -> Management tab -> Logging and Reporting Settings

Within the limits of your hard drive capacity of course.

 

 

 

0 Likes Likes

Ernest_James
L1 Bithead
In response to santonic

‎12-27-2016 11:30 PM - edited ‎12-27-2016 11:30 PM

Hi Santonic, thanks for the response.

So does this means that we suddenly have an huge amount of increase in traffic that cause the retention from more than 2 weeks to just 4days?

 

Also which one of this affects the url filter.

> show system logdb-quota

Quotas:
system: 4.00%, 3.356 GB
config: 4.00%, 3.356 GB
alarm: 3.00%, 2.517 GB
appstat: 6.00%, 5.034 GB
hip-reports: 1.00%, 0.839 GB
traffic: 32.00%, 26.850 GB
threat: 16.00%, 13.425 GB
trsum: 7.00%, 5.873 GB
hourlytrsum: 3.00%, 2.517 GB
dailytrsum: 1.00%, 0.839 GB
weeklytrsum: 1.00%, 0.839 GB
thsum: 2.00%, 1.678 GB
hourlythsum: 1.00%, 0.839 GB
dailythsum: 1.00%, 0.839 GB
weeklythsum: 1.00%, 0.839 GB
userid: 1.00%, 0.839 GB
application-pcaps: 1.00%, 0.839 GB
extpcap: 1.00%, 0.839 GB
debug-filter-pcaps: 1.00%, 0.839 GB
dlp-logs: 1.00%, 0.839 GB
hipmatch: 3.00%, 2.517 GB

0 Likes Likes

santonic
L6 Presenter
In response to Ernest_James

‎12-27-2016 11:42 PM - edited ‎12-27-2016 11:42 PM

Hmm, good question. All URL related log files seem to be 'summary' type.

 

 

 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to Ernest_James

‎12-28-2016 06:40 AM

Generally yes, if you see a drastic decrease in log retention then the only reason would be that you are seeing more traffic and would need to adjust your storage allocation if you want to retain more. That being said it's also probably a good idea to take a look and see if anybody changed/created a rule that is constatntly being logged or if they created something small that logs on start and end. I've run into that issue before where someone enables logging at start and end for testing but forgets to disable it and set the logging to end like we do on everything else. 

The URL filtering is part of the traffic report quota if memory serves correctly. 

0 Likes Likes

Ernest_James
L1 Bithead
In response to BPry

‎12-28-2016 07:10 AM

Hi BPry,

 

I am seeing two suspected rules with log at start, that is unusual form the rest which only logs at the end.

Now how can I prove that these are the guilty rules?

Are there any way to check how much they are logging? This is so that I can raise a change request for removing the logging at the start.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to Ernest_James

‎12-28-2016 07:42 AM

When you look at your traffic logs you can add the 'rule' column which will display the rule that was used and logged the action. As far as logging only at those two logs the best way would be to create a custom report with a rule eq 'whatever' statement to just get the logs for the two rules that you suspect. If it's logging at both start and end you will see many pages of results. 

Keep in mind that sometimes there is a legitimate reason that you would want to log at both start and end, but sometimes different admins will accidentally set it to both. 

0 Likes Likes

RFalconer
L3 Networker

‎12-28-2016 02:13 PM - edited ‎12-28-2016 02:14 PM

One other thing you can check is the 'Max Rows in User Activity Report'. If you hit the maximum number of rows for the report based on 4 days of activity, it won't show any activity further back.  If you've changed the activity report to included detailed browsing, increasing the number of rows in the report, this would possibly cause an issue.

0 Likes Likes

Ernest_James
L1 Bithead
In response to RFalconer

‎12-28-2016 05:28 PM

Hi RFalconer,

 

As for the rows in the report, it was initially set to 50K but we are getting around 2 weeks worth or user activity logs, it was increased to the maximum value and still we are just getting around or less than 4days worth of user activity logs.

0 Likes Likes

santonic
L6 Presenter
In response to Ernest_James

‎12-28-2016 10:48 PM

There is a pre-defined report (Reports->Traffic Reports->Security Rules) which will show you most used rules. Check if some irrelevant traffic is being logged (DNS, ICMP...) and if some of the most used rules log session start as well.

0 Likes Likes

kiwi
Community Team Member
In response to Ernest_James

‎12-29-2016 01:15 AM - edited ‎12-29-2016 01:17 AM

Hi @Ernest_James,

 

The ACC also offers the information on 'Rule Usage' :

 

Rule UsageRule Usage

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Brandon_Wertz
L6 Presenter

‎12-29-2016 02:34 PM - edited ‎12-29-2016 02:35 PM

@Ernest_James Traffic which matches your policy will definitely affect your device.  If possible you might want to modify what you log and when as far as URL logs.

 

For one function my company uses a 3020 pair and we've got logs back before the 20th.  So if you've got a specific requirement it might be worth reallocating storage capacity from one log type to another.

 

 

 

3020_URL Log.JPG3020_Storage.JPG

0 Likes Likes

Ernest_James
L1 Bithead
In response to kiwi

‎12-29-2016 05:37 PM

@kiwi

I do not see rule usage on my ACC, maybe im using a different version.

0 Likes Likes

Ernest_James
L1 Bithead
In response to Brandon_Wertz

‎12-29-2016 05:42 PM

@Brandon_Wertz

Quotas:
system:                     4.00%, 3.356 GB
config:                      4.00%, 3.356 GB
alarm:                       3.00%, 2.517 GB
appstat:                   6.00%, 5.034 GB
hip-reports:            1.00%, 0.839 GB
traffic:                    32.00%, 26.850 GB
threat:                    16.00%, 13.425 GB
trsum:                      7.00%, 5.873 GB
hourlytrsum:           3.00%, 2.517 GB
dailytrsum:              1.00%, 0.839 GB
weeklytrsum:          1.00%, 0.839 GB
thsum:                     2.00%, 1.678 GB
hourlythsum:          1.00%, 0.839 GB
dailythsum:             1.00%, 0.839 GB
weeklythsum:         1.00%, 0.839 GB
userid:                     1.00%, 0.839 GB
application-pcaps: 1.00%, 0.839 GB
extpcap:                  1.00%, 0.839 GB
debug-filter-pcaps: 1.00%, 0.839 GB
dlp-logs:                   1.00%, 0.839 GB
hipmatch:                 3.00%, 2.517 GB

0 Likes Likes

Ernest_James
L1 Bithead
In response to santonic

‎12-29-2016 06:12 PM

@santonic

I have checked the Reports>Traffic Reports>Security Rules and found out this:

rules.PNG

Site A has log problems with 4 days worth of user activity logs, Site B which has 30G less than SiteA, can hold up to 3 months of user activity logs.

Please correct me if I am wrong, but Monitor>PDF Reports>User Avtivity Report should be basically text file logs arranged into PDF for better viewing, right? In my opinion, it should not take a lot of space to retain this logs.

0 Likes Likes
  • 9813 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks