Manage Logging Storage for Traps

The Cortex Data Lake provides granular control over quota allocation for each type of log it receives. After you activate Traps management service, you must define how the service allocates log storage for Traps. If your Cortex Data Lake instance receives logs from other apps or services, you will need to consider how to allocate storage across all services and apps.
  1. Sign In
    to the Hub at https://apps.paloaltonetworks.com/.
  2. Select your Cortex Data Lake instance.
    If you have multiple Cortex Data Lake instances, hover over the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.
    logging-service-select-instance.png
  3. Select
    Configuration
    to define logging storage settings for Traps.
    The Cortex Data Lake displays the total storage allocated for the apps and services associated with the Cortex Data Lake instance. The Cortex Data Lake displays this information graphically and adjusts the graphic based on the storage policy you define below. The Cortex Data Lake storage policy specifies the distribution of your total storage allocated to each app or service and the minimum retention warning (not supported with Traps management service).
  4. Adjust the quota allocated for each type of Traps logs.
    You cannot exceed 100% log storage allocation.
    1. Select the total size you want to allocate to Traps logs.
      If your total allocated quota is already at 100% for non-Traps apps and services, reduce the quota for available log types to free up storage for Traps management service.
      Use the arrows to increment or decrement existing allocations or enter a new quota percentage.
    2. Expand the Traps allocation and adjust the storage allocated for each type of Traps log.
      logging-service-quota-change.png
      The following table describes the different record types for Traps. While the distribution of Traps logs depends on your storage needs, a good starting point is to allocate Traps logs as indicated. It’s recommended to review the status of your Cortex Data Lake instance after about two weeks of data collection and make adjustments as needed.
      Recommended Allocation
      Record Type
      Description
      Without Endpoint Activity Monitoring
      With Endpoint Activity Monitoring
      Threat
      Includes information regarding all security events logged by Traps. This includes events such as malware and exploit preventions, post-detection events, and restriction notifications.
      2%
      0.1%
      Config
      Audit logs recorded by Traps management service. This includes policy events—such as changes to the Traps security policy, exception management, and profile management. Audit logs also include other configuration changes such as device management, distribution management, and system management.
      1%
      0.1%
      System
      On-going monitoring of Traps management service system and agent events. Examples include changes or updates to license management, agent registration, user authentication, agent monitoring, agent upgrade, and agent protection status. System logs are often required for day-to-day operations, as well as support and troubleshooting activities.
      14%
      0.8%
      Analytic
      Logs from the hourly hash execution report from every Traps agent. Provides visibility on tracking attempted malware executions in your protected environment, hash exception policy changes, and forensics. File analytics reports consume a considerable share of Traps storage space.
      83%
      4%
      (
      Optional
      )
      Endpoint Data
      If you enable Traps to monitor and collect endpoint events for use by apps on the Cortex platform, you must allocate at least 1 TB of storage for endpoint data and allocate quota for Endpoint Data. As a starting point, use the recommended allocation for endpoint activity monitoring.
      0%
      95%
      To see the record type for a specific Traps log, see Log Types and Severity Levels.
  5. Apply
    your changes.

Related Documentation