Configure Log Storage Quota on Cortex Data Lake

For each log type you’re storing in Cortex Data Lake, you must set the log storage quota (the amount of storage you want to allocate for each log type). By default, when you add a new log source, quota is not allocated for the log types that belong to this source. Until you configure the log storage quota, logs are not saved in Cortex Data Lake.
  1. Sign In
    to the Cortex hub at https://apps.paloaltonetworks.com/.
    If you do not see the Cortex Data Lake app, you might not have the correct user role. Learn more about app roles and how to assign them.
  2. Select the Cortex Data Lake instance for which you want to allocate log storage quota.
    If you have multiple Cortex Data Lake instances, hover over the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.
  3. Select
    Configuration
    and adjust the storage allocated for each type of log.
  4. Expand the log type drop-down and configure the following settings for each log type.
    • Enter the
      Size
      with units—KB, MB, GB, TB—of the log storage space that you want to allocate for the log type. You cannot view the log sub types, until you allocate log storage space.
    • Set the
      Quota
      for each log sub type as a percentage of the total size you allocated.
      Setting the quota for a log subtype to 0%, means that the Cortex Data Lake does not store the logs. If you reset quota to 0%, all existing logs will be deleted.
      For a log type such as Firewall or Traps, you must allocate 100% of the total quota across the log sub types. The percentage allocation across all log sub types is summed up and displayed as the total percentage of quota for the log type. If the quota allocated is over or under 100%, you cannot apply your changes.
    • (Optional)
      Specify the
      MAX DAYS
      the Cortex Data Lake should retain logs. Set this value only if you have a company or regulatory retention policy and you need to delete logs after a given time period. If you do not enter a value here (leave it blank), logs will not be deleted on the Cortex Data Lake until the available storage space runs out.
    • Specify the
      MIN RETENTION WARNING
      , which is the threshold (in days) for which you want to store logs and be warned if there isn’t enough space on your Cortex Data Lake instance to hold logs for the minimum number of specified days. You can specify a retention period of up to 2000 days. On reaching this threshold, the Cortex Data Lake displays a warning to inform you that the desired log retention period is not being met. If you don’t specify a threshold, the Cortex Data Lake does not notify you.
    • View the
      ACTUAL RETENTION DAYS
      , which is the number of days for which logs have been stored on the Logging Service. Logs are rolled over when the max days is reached or the available storage space runs out. Use this information to learn about the current utilization of the logging service or which logs have the longest duration, and assess if you need to reallocate quota across the log subtypes to meet your log retention policy.
  5. Apply
    your changes.
    logging-service-quota-allocation.png

Related Documentation