Tips & Tricks: Log Deletion Based on Time
Resolution
Pre 7.0. PAN-OS had a purging logic which was checked against the logdb quota and the predefined quota size for reports. If the quota was reached, then the oldest logs were deleted until we reached the configured quota size for the given log type.
With this new feature, for logdb and reports, we added a purge function using 'Max Days.' This allows you to configure an age-out period for each and every log type and all reports.
You can find this setting under Device/Panorama tab > Setup > Management > Logging and Reporting setting > Log Storage tab
Note that the range is between 1-2000 days across all platforms. Adding no value equals no expiration.
For reports, you will find this setting under Device/Panorama tab > Setup > Management > Logging and Reporting setting > Log Export and Reporting tab.
In the CLI, you can use the following commands:
# set deviceconfig setting management quota-settings log-expiration-period <log type> <number of days>
Log type = traffic / threat / trsum / etc...
Number of days = 1-2000 (or default to no expiration)
# set deviceconfig setting management report-expiration-period <number of days>
Number of days = 1-2000 (or default to no expiration)
In the CLI, you can also verify the expiration period and the current retention using the following command:
> show system logdb-quota Quotas: system: 4.00%, 0.668 GB Expiration-period: 0 days config: 4.00%, 0.668 GB Expiration-period: 0 days alarm: 3.00%, 0.501 GB Expiration-period: 0 days appstat: 4.00%, 0.668 GB Expiration-period: 0 days hip-reports: 1.00%, 0.167 GB Expiration-period: 0 days traffic: 32.00%, 5.342 GB Expiration-period: 0 days threat: 16.00%, 2.671 GB Expiration-period: 0 days trsum: 7.00%, 1.169 GB Expiration-period: 0 days hourlytrsum: 3.00%, 0.501 GB Expiration-period: 0 days dailytrsum: 1.00%, 0.167 GB Expiration-period: 0 days weeklytrsum: 1.00%, 0.167 GB Expiration-period: 0 days urlsum: 2.00%, 0.334 GB Expiration-period: 0 days hourlyurlsum: 1.00%, 0.167 GB Expiration-period: 0 days dailyurlsum: 1.00%, 0.167 GB Expiration-period: 0 days weeklyurlsum: 1.00%, 0.167 GB Expiration-period: 0 days thsum: 2.00%, 0.334 GB Expiration-period: 0 days hourlythsum: 1.00%, 0.167 GB Expiration-period: 0 days dailythsum: 1.00%, 0.167 GB Expiration-period: 0 days weeklythsum: 1.00%, 0.167 GB Expiration-period: 0 days userid: 1.00%, 0.167 GB Expiration-period: 0 days application-pcaps: 1.00%, 0.167 GB Expiration-period: 0 days extpcap: 1.00%, 0.167 GB Expiration-period: 0 days debug-filter-pcaps: 1.00%, 0.167 GB Expiration-period: 0 days dlp-logs: 1.00%, 0.167 GB Expiration-period: 0 days hipmatch: 3.00%, 0.501 GB Expiration-period: 0 days Disk usage: traffic: Logs and Indexes: 2.8G Current Retention: 419 days threat: Logs and Indexes: 87M Current Retention: 113 days system: Logs and Indexes: 179M Current Retention: 603 days config: Logs and Indexes: 452M Current Retention: 603 days trsum: Logs and Indexes: 1.2G Current Retention: 247 days hourlytrsum: Logs and Indexes: 512M Current Retention: 178 days dailytrsum: Logs and Indexes: 152M Current Retention: 601 days weeklytrsum: Logs and Indexes: 98M Current Retention: 597 days thsum: Logs and Indexes: 333M Current Retention: 453 days hourlythsum: Logs and Indexes: 166M Current Retention: 488 days dailythsum: Logs and Indexes: 22M Current Retention: 600 days weeklythsum: Logs and Indexes: 4.4M Current Retention: 597 days appstatdb: Logs and Indexes: 64M Current Retention: 603 days userid: Logs and Indexes: 292K Current Retention: 603 days hipmatch: Logs and Indexes: 28K Current Retention: 0 days extpcap: Logs and Indexes: 8.1M Current Retention: 561 days urlsum: Logs and Indexes: 124M Current Retention: 342 days hourlyurlsum: Logs and Indexes: 32M Current Retention: 342 days dailyurlsum: Logs and Indexes: 5.6M Current Retention: 341 days
"Expiration-period: 0 days" means that you kept the default value. So there's no expiration configured.
"Current Retention: X days" means that the oldest available log is one from X days ago. All logs older than X days is purged.
In case of a downgrade to an older PAN-OS version (for example, PAN-OS 6.1), the expiration period field will be discarded for logs and reports.
I hope this article has helped you understand this feature.
As always, we welcome all feedback, comments and questions in the comment section below.
Kim
(KiWi)