Allocate Storage Based on Log Type
For each log type you’re storing in Cortex Data Lake, you must set the log storage quota (the amount of storage you want to allocate for each log type). By default, when you add a new log source, quota is not allocated for the log types that belong to this source. Until you configure the log storage quota, logs are not saved in Cortex Data Lake.
- Select the Cortex Data Lake instance for which you want to allocate log storage quota.If you have multiple Cortex Data Lake instances, hover over the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.
- SelectConfigurationand adjust the storage allocated for each type of log.
- Expand the log type drop-down and configure the following settings for each log type.
- Enter theSizewith units—KB, MB, GB, TB—of the log storage space that you want to allocate for the log type. You cannot view the log sub types until you allocate log storage space.
- Set theQuotafor each log sub type as a percentage of the total size you allocated.Setting the quota for a log subtype to 0% means that the Cortex Data Lake does not store the logs. If you reset quota to 0%, all existing logs will be deleted.For a log type such as Firewall or Traps, you must allocate 100% of the total quota across the log sub types. The percentage allocation across all log sub types is summed up and displayed as the total percentage of quota for the log type. If the quota allocated is over or under 100%, you cannot apply your changes.
- (Optional)Specify theMAX DAYSthe Cortex Data Lake should retain logs. Set this value only if you have a company or regulatory retention policy and you need to delete logs after a given time period. If you do not enter a value here (leave it blank), logs will not be deleted on the Cortex Data Lake until the available storage space runs out.
- Specify theMIN RETENTION WARNING, which is the threshold (in days) for which you want to store logs and be warned if there isn’t enough space on your Cortex Data Lake instance to hold logs for the minimum number of specified days. You can specify a retention period of up to 2000 days. On reaching this threshold, the Cortex Data Lake displays a warning to inform you that the desired log retention period is not being met. If you don’t specify a threshold, the Cortex Data Lake does not notify you.
- View theACTUAL RETENTION DAYS, which is the number of days for which logs have been stored on the Logging Service. Logs are rolled over when the max days is reached or the available storage space runs out. Use this information to learn about the current utilization of the logging service or which logs have the longest duration, and assess if you need to reallocate quota across the log subtypes to meet your log retention policy.
- Applyyour changes.