Retrieve Support Logs from an Endpoint

When you need to send additional forensic data to Palo Alto Networks Technical Support, you can initiate a request to retrieve all support logs and alert data dump files from an endpoint. After Cortex XDR receives the logs, you can then download and send them to Technical Support.
  1. Log in to Cortex XDR.
    Go to
    Response
    Action Center
    + New Action
    .
  2. Select
    Retrieve Support File
    and click
    Next
    .
  3. Select the target endpoints (up to 10) from which you want to retrieve logs.
    If needed,
    Filter
    the list of endpoints. For more information, refer to Filter Page Results.
  4. Click
    Next
    .
  5. Review the action summary and click
    Done
    when finished.
    In the next heart beat, the agent will retrieve the request to package and send all logs to Cortex XDR.
  6. To track the status of a support log retrieval action, return to the
    Action Center
    .
    When the status is
    Completed Successfully
    , you can right-click the action and download the support logs. Cortex XDR retains retrieved files for up to 30 days.
    If at any time you need to cancel the action, you can right-click it and select
    Cancel for pending endpoint
    . You can cancel the retrieval action only if the endpoint is still in
    Pending
    status and no files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the process of retrieving files.
  7. To view additional data and download the support logs, right-click the action and select
    Additional data
    .
    You will see all endpoints from which files are being retrieved, including their
    IP Address
    ,
    Status
    , and
    Additional Data
    .
  8. When the action status is
    Completed Successfully
    , you can right-click the action and download the retrieved logs.
    Cortex XDR retains retrieved files for up to 30 days.

Recommended For You