User activity reports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User activity reports

L1 Bithead

I'm getting a bit of a funny one on my Panorama. When I run a pdf UAR for a user using the "last 30 days" option - I only get the detailed reports on web activity from the 2nd of August till the 16th of August. When I change the date option to the last 7 days I get from the 16th till today. Anyone any idea why I'm not getting the full 30 days when I ask for it? We're running 4.1.10 on the Panorama plus the PA 500's that are feeding it logs. Thanks. Plus does anyone know where (or if) you can configure the quantity of logs being kept?

6 REPLIES 6

L4 Transporter

Hello,

> Pls verify first in the logs that the user you are trying to get report for has logs for last 30 days

> Also try the " User Activity Report > Time Period > Custom " Set the custom dates and test how the logs come. Also try to move the days to 29 or 31 and so on and see how the logs vary.

If still it is not working as expected please open a case with the support team.

Hmm - That's kind of my point. I have got logs for the user (myself) but they only go back to August 2 and stop at August 16 when I ask for a 30 day report. When I ask for a last 7 days report I can see the logs from the 16th right up till today. So how come the 30 day report doesn't show right up till today? (and why doesn't it show before August 2nd).

If you are talking about detail URL logs in UAR, there is max rows.

You can find this value under device tab > setup  > management tab > Logging and Report Settings.

*NOTE: I should say panorama tab, this issue was on panorama.

The default value for Max Rows in User Activity Report is 65535.

Can you check that your report with 30 days hits to 65535 lines?

Regards,

Make sure you check that there is enough disk space allocated to the Log Files. This is located in the same place that emr provided. Panorama > Setup > Management > Logging and Reporting Settings. If you don't have enough disk space, it will cause logs to be overwritten. So it may not be possible for you to retain 30 days of user activity reports.

You could also try running the report from the firewall instead of Panorama. Since the firewall is only recording its own data, the data you are after may still be there as it hasn't needed to overwrite that data yet. If this does work, look at expanding your Panorama log space, or ensure that the firewall is sending its logs to Panorama.

Ok Guys thanks for the good tips there. Just one more question  - I can easily give the Panaoram virtual appliance more disk in VMware - how do I then get that extra disk to into system and expand the log files? Any quick tips on that would be great!

Panorama Administrator's Guide 5.1

I would check out the new Panorama administrators guide, it is pretty handy. I'm not sure if it covers this change, but I will take a stab at guessing how this needs to be done. (Its been a while since I setup Panorama).

If you add the additional disk space into VMWare guest and reboot panorama, PAN should detect the new space and you should be able to see that reflected under Panorama > Setup > Management > Logging and Reporting Settings. Total space should have increased. You can then set the quotas for each log type. I would guess that the information you want is under the Traffic logs, or Traffic Summaries. I would not increase the max rows in the UAR as that just appears to be how many lines the systems will output, not how much data it will retain. The max rows of 65535 is the limit to CSV type applications, so increasing this number may prevent you from opening these documents.

If for some reason you don't have enough local space you can change to a NFS system. To do this go to Panorama > Setup > Operations > Storage Partition Setup (Bottom right on the Miscellaneous section).

Hopefully that helps you solve your problem.

  • 4075 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!