Tips & Tricks: Log Deletion Based on Time

Tips & Tricks: Log Deletion Based on Time

45155
Created On 09/25/18 18:59 PM - Last Modified 02/07/19 23:51 PM


Resolution

Pre 7.0. PAN-OS had a purging logic which was checked against the logdb quota and the predefined quota size for reports. If the quota was reached, then the oldest logs were deleted until we reached the configured quota size for the given log type.

 

With this new feature, for logdb and reports, we added a purge function using 'Max Days.'  This allows you to configure an age-out period for each and every log type and all reports.

 

You can find this setting under Device/Panorama tab > Setup > Management > Logging and Reporting setting > Log Storage tab

 

2016-06-01_10-00-10.pngMax Days

Note that the range is between 1-2000 days across all platforms.  Adding no value equals no expiration.

 

 

For reports, you will find this setting under Device/Panorama tab > Setup > Management > Logging and Reporting setting > Log Export and Reporting tab.

 

2016-06-01_10-10-22.pngReport Expiration Period 

In the CLI, you can use the following commands:

 

# set deviceconfig setting management quota-settings log-expiration-period <log type> <number of days> 

 

Log type = traffic / threat / trsum / etc...

Number of days = 1-2000 (or default to no expiration)

 

# set deviceconfig setting management report-expiration-period <number of days>

 

Number of days = 1-2000 (or default to no expiration)

 

In the CLI, you can also verify the expiration period and the current retention using the following command:

 

> show system logdb-quota
 
Quotas:
              system: 4.00%, 0.668 GB Expiration-period: 0 days
              config: 4.00%, 0.668 GB Expiration-period: 0 days
               alarm: 3.00%, 0.501 GB Expiration-period: 0 days
             appstat: 4.00%, 0.668 GB Expiration-period: 0 days
         hip-reports: 1.00%, 0.167 GB Expiration-period: 0 days
             traffic: 32.00%, 5.342 GB Expiration-period: 0 days
              threat: 16.00%, 2.671 GB Expiration-period: 0 days
               trsum: 7.00%, 1.169 GB Expiration-period: 0 days
         hourlytrsum: 3.00%, 0.501 GB Expiration-period: 0 days
          dailytrsum: 1.00%, 0.167 GB Expiration-period: 0 days
         weeklytrsum: 1.00%, 0.167 GB Expiration-period: 0 days
              urlsum: 2.00%, 0.334 GB Expiration-period: 0 days
        hourlyurlsum: 1.00%, 0.167 GB Expiration-period: 0 days
         dailyurlsum: 1.00%, 0.167 GB Expiration-period: 0 days
        weeklyurlsum: 1.00%, 0.167 GB Expiration-period: 0 days
               thsum: 2.00%, 0.334 GB Expiration-period: 0 days
         hourlythsum: 1.00%, 0.167 GB Expiration-period: 0 days
          dailythsum: 1.00%, 0.167 GB Expiration-period: 0 days
         weeklythsum: 1.00%, 0.167 GB Expiration-period: 0 days
              userid: 1.00%, 0.167 GB Expiration-period: 0 days
   application-pcaps: 1.00%, 0.167 GB Expiration-period: 0 days
             extpcap: 1.00%, 0.167 GB Expiration-period: 0 days
  debug-filter-pcaps: 1.00%, 0.167 GB Expiration-period: 0 days
            dlp-logs: 1.00%, 0.167 GB Expiration-period: 0 days
            hipmatch: 3.00%, 0.501 GB Expiration-period: 0 days
 
Disk usage:
traffic: Logs and Indexes: 2.8G Current Retention: 419 days
threat: Logs and Indexes: 87M Current Retention: 113 days
system: Logs and Indexes: 179M Current Retention: 603 days
config: Logs and Indexes: 452M Current Retention: 603 days
trsum: Logs and Indexes: 1.2G Current Retention: 247 days
hourlytrsum: Logs and Indexes: 512M Current Retention: 178 days
dailytrsum: Logs and Indexes: 152M Current Retention: 601 days
weeklytrsum: Logs and Indexes: 98M Current Retention: 597 days
thsum: Logs and Indexes: 333M Current Retention: 453 days
hourlythsum: Logs and Indexes: 166M Current Retention: 488 days
dailythsum: Logs and Indexes: 22M Current Retention: 600 days
weeklythsum: Logs and Indexes: 4.4M Current Retention: 597 days
appstatdb: Logs and Indexes: 64M Current Retention: 603 days
userid: Logs and Indexes: 292K Current Retention: 603 days
hipmatch: Logs and Indexes: 28K Current Retention: 0 days
extpcap: Logs and Indexes: 8.1M Current Retention: 561 days
urlsum: Logs and Indexes: 124M Current Retention: 342 days
hourlyurlsum: Logs and Indexes: 32M Current Retention: 342 days
dailyurlsum: Logs and Indexes: 5.6M Current Retention: 341 days
 

 

"Expiration-period: 0 days" means that you kept the default value. So there's no expiration configured.

"Current Retention: X days" means that the oldest available log is one from X days ago.  All logs older than X days is purged.

 

In case of a downgrade to an older PAN-OS version (for example, PAN-OS 6.1), the expiration period field will be discarded for logs and reports.

 

I hope this article has helped you understand this feature.

 

As always, we welcome all feedback, comments and questions in the comment section below.

 

Kim

(KiWi)



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSJCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language