Allocate Storage Based on Log Type

To store logs in Cortex Data Lake, you must set the log storage quota (the amount of storage allocated for each log type). Some log sources, like Cortex XDR, automatically allocate storage at activation. Other sources require you to set quota before Cortex Data Lake will store their logs. After you activate a new app or service that sends data to Cortex Data Lake, check that the quota manager has storage allocated for it. Until you configure the log storage quota, logs are not saved in Cortex Data Lake.
After you’ve allocated log storage quota, view your actual storage utilization under
STATUS
.
  1. Sign In
    to the hub.
    To view the Cortex Data Lake app, you must have the correct user role. Learn more about app roles and how to assign them.
  2. Select the Cortex Data Lake instance for which you want to allocate log storage quota.
    If you have multiple Cortex Data Lake instances, click the Cortex Data Lake tile and select the instance from the dropdown of available instances associated with your account.
  3. Select
    CONFIGURATION
    and adjust the storage allocated for each type of log.
    logging-service-quota-allocation.png
    Field
    Value
    SIZE
    The log storage space with units—KB, MB, GB, TB—that you want to allocate for the log type. You cannot view the log subtypes until you allocate log storage space.
    QUOTA
    The percentage of the total
    SIZE
    you want to allocate for each log subtype.
    Setting the quota for a log subtype to 0% means that Cortex Data Lake does not store the logs. If you reset quota to 0%, all existing logs will be deleted.
    For log types such as Firewall, you must allocate 100% of the total quota across the log subtypes. The percentage that you allocate across the subtypes displays as the total quota percentage for the log type. If you do not allocate 100% quota, you cannot
    Apply
    changes.
    MAX DAYS
    (
    Optional
    ) The number of days that Cortex Data Lake retains logs. Set this value only if you have a company or regulatory retention policy that requires you to delete logs after a given time period. If you leave this field blank, Cortex Data Lake will not delete logs until the available storage space runs out.
    MIN RETENTION WARNING
    The number of days (up to 2000) that you want Cortex Data Lake to notify you before it no longer has enough space to hold logs. On reaching this threshold, Cortex Data Lake warns you that the desired log retention period is not being met. If you don’t specify a threshold, Cortex Data Lake does not notify you.
    ACTUAL RETENTION DAYS
    (
    Read-only
    ) The number of days that logs have been stored in Cortex Data Lake. Logs are rolled over when the max days is reached or the available storage space runs out. Use this information to learn about the current utilization of Cortex Data Lake or which logs it has retained the longest and assess if you need to reallocate quota to meet your log retention policy.
    • Forward Logs
      to launch the Log Forwarding app and forward your Cortex Data Lake log data to external destinations.
    • View Logs
      to launch the Explore app so you can analyze and interact with your Cortex Data Lake log data.
  4. Apply
    your changes.

Recommended For You