Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage Log and Report Expiration Periods Configure Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

You can edit the default storage quotas for each log type but not for reports. When a log quota reaches the maximum size, Panorama starts overwriting the oldest log entries with the new log entries. The Panorama virtual appliance and M-Series appliance have different locations for storing logs and different predefined storage capacities for reports:

Panorama virtual appliance —Panorama writes all logs to its assigned storage space, which can be any of one the following: The approximately 11GB storage allocated by default on the virtual disk that you created when installing Panorama. An additional virtual disk: see Add a Virtual Disk to Panorama on an ESXi Server or Add a Virtual Disk to Panorama in vCloud Air. An NFS partition: see Mount the Panorama ESXi Server to an NFS Datastore.

The storage space for reports is 200MB.

M-Series appliance —Panorama saves logs to its internal SSD and RAID-enabled disks. The M-Series appliance uses its internal SSD to store the Config logs and System logs that Panorama and its Log Collectors generate, and also to store the Application Statistics (App Stats) logs that Panorama automatically receives at 15 minute intervals from all managed firewalls. Panorama saves all other log types to its RAID-enabled disks. The RAID disks are either local to the M-Series appliance in Panorama mode or are in a Dedicated Log Collector (M-Series appliance in Log Collector mode). To edit the storage quotas for logs on the RAID disks, you must modify the Collector Group configuration. The storage space for reports is 500MB for Panorama 6.1 or later releases and 200 MB for earlier releases.

Log and Report Expiration Periods

You can configure automatic deletion based on time for the logs that the Panorama management server and Log Collectors collect from firewalls, as well as the logs and reports that Panorama and the Log Collectors generate locally. This is useful in deployments where periodically deleting monitored information is desired or necessary. For example, deleting user information after a certain period might be mandatory in your organization for legal reasons. You configure separate expiration periods for:

Reports—Panorama deletes reports nightly at 2:00 a.m., when it generates scheduled reports. Each log type—Panorama evaluates logs as it receives them, and deletes logs that exceed the configured expiration period. Each summary log type—Panorama evaluates logs after the various summary periods (hourly, daily, and weekly), and deletes logs that exceed the configured expiration period.

Weekly summary logs that fall short of the expiration threshold when log deletion occurs could age past the threshold before the next log deletion. For example, if you configure Traffic Summary logs to expire after 20 days and a weekly Traffic Summary log is 19 days old when Panorama deletes expired logs, then it doesn't delete that log. The next time the Panorama checks for weekly logs to delete, 7 days later, that log will be 26 days old.

Panorama synchronizes expiration periods across high availability (HA) pairs. Because only the active HA peer generates logs, the passive peer has no logs or reports to delete unless failover occurs and it starts generating logs.

Even if you don’t set expiration periods, when a log quota reaches the maximum size, Panorama starts overwriting the oldest log entries with the new log entries.

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure Storage Quotas and Expiration Periods for Logs and Reports
Configure the storage quotas and expiration periods for: Logs of all types that a Panorama virtual appliance receives from firewalls. App Stats logs that Panorama (a virtual appliance or M-Series appliance) receives from firewalls. System and Config logs that Panorama (a virtual appliance or M-Series appliance) and its Log Collectors generate locally. The Panorama management server stores these logs. If you reduce a storage quota such that the current logs exceed it, after you commit the change, Panorama removes the oldest logs to fit the quota.	Select Panorama > Setup > Management and edit the Logging and Reporting Settings. In the Log Storage tab, enter the storage Quota (%) for each log type. When you change a percentage value, the page refreshes to display the corresponding absolute value (Quota GB/MB column) based on the total allotted storage on Panorama. Enter the Max Days (expiration period) for each log type (range is 1-2,000). By default, the fields are blank, which means the logs never expire. To reset the quotas and expiration periods to the factory defaults, click Restore Quota Defaults at the bottom right of the dialog.
Configure the expiration period for reports that Panorama (a virtual appliance or M-Series appliance) generates.	Select the Log Export and Reporting tab. Enter the Report Expiration Period in days (range is 1–2,000). By default, the field is blank, which means reports never expire. Click OK to save your changes.
Configure the storage quotas and expiration periods for logs of all types (except App Stats logs) that a Panorama M-Series appliance receives from firewalls. The Log Collectors store these logs. You configure these storage quotas at the Collector Group level, not for individual Log Collectors.	Select Panorama > Collector Groups and select the Collector Group. In the General tab, click the Log Storage value. This field doesn’t display a value unless you assigned Log Collectors to the Collector Group. If the field displays 0MB after you assign Log Collectors, verify that you enabled the disk pairs when configuring the Log Collector and that you committed the changes ( Panorama > Managed Collectors > Disks). Enter the storage Quota(%) for each log type. When you change a percentage value, the page refreshes to display the corresponding absolute value (Quota GB/MB column) based on the total storage allotted to the Collector Group. Enter the Max Days (expiration period) for each log type (range is 1–2,000). By default, the fields are blank, which means the logs never expire. To reset the quotas and expiration periods to the factory defaults, click Restore Quota Defaults at the bottom right of the dialog. Click OK to save your changes.
Commit your changes.	Click Commit, for the Commit Type select Panorama, and click Commit again. ( M-Series appliance only ) Click Commit, for the Commit Type select Collector Group, select the Collector Group you modified, and click OK.
Verify that Panorama applied the storage quota changes.	Select Panorama > Setup > Management and, in the Logging and Reporting Settings, verify that the Log Storage values are correct for the logs that the Panorama management server stores. Select Panorama > Collector Groups, select the Collector Group you modified, and verify that the Log Storage values in the General tab are correct for the logs that the Log Collectors store. You can also verify the Collector Group storage quotas by logging in to a Log Collector CLI and entering the operational command show log-diskquota-pct .

Document:Panorama™ Administrator’s Guide

Manage Storage Quotas and Expiration Periods for Logs and Reports

Related Documentation

Document:Panorama™ Administrator’s Guide

Manage Storage Quotas and Expiration Periods for Logs and Reports

Related Documentation

Determine Panorama Log Storage Requirements

Configure Log Storage Quotas and Expiration Periods

Panorama > Collector Groups

Troubleshoot Log Storage and Connection Issues

Configure a Collector Group

Administer Panorama

Device > Setup > Management

Configure the Report Expiration Period

Configure Log Forwarding to Panorama

Centralized Logging and Reporting