Allocate Storage Based on Log Type

To store logs in
Cortex Data Lake
, you must set the log storage quota (the amount of storage allocated for each log type). Some log sources automatically allocate storage at activation. Other sources require you to set quota to a value greater than 0 before
Cortex Data Lake
will store their logs. After you activate a new app or service that sends data to
Cortex Data Lake
, verify that the quota manager has storage allocated for it. When the log storage quota is not configured,
Cortex Data Lake
saves logs in the unallocated space that the quota manager automatically assigns.
After you allocate log storage quota, view your actual storage utilization under
STATUS
.
  1. Sign In
    to the hub.
    To view the Cortex Data Lake app, you must have the correct user role. Learn more about app roles and how to assign them.
  2. Select the Cortex Data Lake instance for which you want to allocate log storage quota.
    If you have multiple Cortex Data Lake instances, click the Cortex Data Lake tile and select the instance from the drop-down of available instances associated with your account.
  3. Select
    CONFIGURATION
    and adjust the storage allocated for each log type.
    Field
    Value
    QUOTA (%)
    (
    Optional
    ) The percentage of your total Cortex Data Lake capacity that you want to allocate for each log type.
    Setting
    QUOTA
    for a log type to 0% means that Cortex Data Lake does not store the logs. If you reset
    QUOTA
    to 0%, all existing logs will be deleted.
    Leave this field blank to allocate all remaining storage to a log type. If you leave this field blank for multiple log types, they all share the remaining unallocated storage. When no more unallocated storage remains, Cortex Data Lake deletes the oldest logs among the log types with this field empty.
    ALLOCATED SIZE
    (
    Read-only
    ) The amount of log storage space allocated for each log type in KB, MB, GB, or TB.
    MAX RETENTION DAYS
    (
    Optional
    ) The number of days that Cortex Data Lake retains logs. Set this value only if you have a company or regulatory retention policy that requires you to delete logs after a given time period. If you leave this field blank, Cortex Data Lake will not delete logs until the available storage space runs out.
    Setting
    MAX RETENTION DAYS
    for a log type to 0 means that Cortex Data Lake does not store the logs. If you set
    MAX RETENTION DAYS
    to 0, all existing logs will be deleted.
    ACTUAL RETENTION DAYS
    (
    Read-only
    ) The number of days that logs have been stored in Cortex Data Lake. Logs are rolled over when the max days is reached or the available storage space runs out. Use this information to learn about the current utilization of Cortex Data Lake or which logs it has retained the longest and assess if you need to reallocate quota to meet your log retention policy.
    You can toggle whether to store or ingest log data from individual firewalls in the
    Inventory
    tab.
  4. Apply
    your changes.

Recommended For You