Cortex Data Lake Log Types

You can store these types of logs in Cortex Data Lake
In the Cortex Data Lake app, you can set how much of your overall log storage you want to allocate to the following log types:
Log Type
Common Logs
Configuration logs—entries for changes to the firewall configuration.
System logs—entries for each system event on the firewall.
Firewall Logs
Authentication logs—information about authentication events that occur when end users try to access network resources for which access is controlled by Authentication Policy rules.
DNS Security Logs
—information that the DNS Security service collects, such as server response and request information based on your firewall security policy rules, associated action, and the DNS query details when performing domain lookups.
Cortex Data Lake
Estimator does not yet support DNS Security logs, so you must calculate log storage manually. The average size of a DNS Security log is approximately 833 bytes.
Enhanced application logs—data that increases visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR and IoT Security.
Cortex Data Lake
only streams these logs to other applications and does not store them, so they do not use storage space.
Extended packet capture
—packet captures in a proprietary Palo Alto Networks format. The firewall only collects these if you enable extended capture in Vulnerability Protection or Anti-Spyware profiles.
Data filering logs—entries for the security rules that help prevent sensitive information such as credit card numbers from leaving the area that the firewall protects.
  • GlobalProtect system logs
  • LSVPN/satellite events
  • GlobalProtect portal and gateway logs
  • Clientless VPN logs
HIP Match logs—information about the security status of the end devices accessing your network.
IP-Tag logs—how and when a source IP address is registered or unregistered on the firewall and what tag the firewall applied to the address.
Stream Control Transmission Protol logs—events and associations based on logs generated by the firewall while it performs stateful inspection, protocol validation, and filtering of SCTP traffic.
Threat logs—entries generated when traffic matches one of the Security Profiles attached to a security rule on the firewall.
Traffic logs—entries for the start and end of each session.
Tunnel Inspection logs—entries of non-encrypted tunnel sessions.
URL Filtering logs—entries for traffic that matches the URL Filtering profile attached to a security policy rule.
User-ID logs—information about IP address-to-username mappings and Authentication Timestamps, such as the sources of the mapping information and the times when users authenticated.

Recommended For You