This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-3020 log retention period

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-3020 log retention period

Ernest_James
L1 Bithead

‎12-27-2016 10:59 PM

Hi Experts,

 

I am quite new to Palo Alto and I have some queries regarding the URL filter log retention, before we can generate user activty reports for browsed URLs for more than two weeks old, but now we can only see URL filter logs up to no more than 4 days.

 

What affects the log retention period and how can we generate a month old User Activity report for a specific user if logs are not present anymore.

0 Likes Likes
19 REPLIES 19

santonic
L6 Presenter
In response to Ernest_James

‎12-29-2016 11:22 PM

Transfered bytes are irrelevant for logging. Log entries are generated per session so look at seesions counter values. A single http download session which transfer 3Gb means one log entry same as a DNS query for this site which transfers only few bytes.

 

Check the most used rules and see if you log some non relevant sessions like DNS and ICMP or boradcast traffic and similar. 

0 Likes Likes

santonic
L6 Presenter
In response to Ernest_James

‎12-29-2016 11:34 PM

Reports are basicaly queries on log files for specific information. So they are sort of an extract of log files. And I believe they are stored seperately from log files so they don't affect log retention directly.

 

0 Likes Likes

kiwi
Community Team Member
In response to Ernest_James

‎12-29-2016 11:52 PM

Hi @Ernest_James,

 

That's possible.  ACC got a major facelift in PAN-OS 7.0 and some features were added.  Possibly pre-7.0 won't have it.

 

It will basically return the same output as seen in the Reports>Traffic Reports>Security Rules.  As santonic already pointed out you need to check the number of sessions.

 

Cheers !

-Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Ernest_James
L1 Bithead
In response to kiwi

‎01-04-2017 03:25 AM

@kiwi@santonic

 

I have checked the most used rule but it has been there before. as for the rule with log on start as well seem not to be that used much.

 

Any other suggestions?

0 Likes Likes

santonic
L6 Presenter
In response to Ernest_James

‎01-04-2017 04:21 AM

Even if it's been there always you can optimise it and turn off logging for non interesting traffic.

 

But to find the source of spike of events: PA FW saves these reports daily. I guess you have to check past reports, find out on which day there was a spike, which rule recorded it and (in the unlikely case you still have logs for that day) you can find out which traffic caused it. If you don't have logs you can check other automated reports and look for possible causes.

 

 

0 Likes Likes
  • 9814 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks