Log Retention & Firewall Storage

Thankyou so much. Let me give this a try and keep you posted.

You are correct in the statement that old logs will be deleted in favor of new logs, once the log database is about to get full

calculating log retention requires that you know a few things about your system:

- the log rate per second or the volume o logs per day

- the available log storage size

you first need to figure out how many logs are collected, this can be done by measuring the log rate and calculating how many logs that amounts to, or viewing the number of logs received per day and calculating the average

These statistics can be calculated by issueing this command:

> debug log-receiver statistics

unfortunately these statistics only return the current logs per second, and the total volume of logs generated to this moment. so you can either take snapshots throughout the day to gauge an average log rate, or just take a measurement of the total volume at a set time per day for a few days, and calculate the difference per day

taking into account that each log entry is 0.5kb in size, you can calculate how much storage you need per day

to calculate log/sec : 1.000.000 on monday, 1.100.000 on tuesday, 1.200.000 on wednesday etc means an average of 100.000 logs per day /86.400 is 1.15 log rate per second

to calculate LogStorage/day: (LogsPerSecond*86400*0,5Kb)/1.000.000

you can then check how much space is actually available

> show system logdb-quota

to see how long you can estimate logs will be stored

if you figure out your log rate per second, you can also use the calculator to slowly decrease the number of days to see what kind of strage will be consumed:

https://apps.paloaltonetworks.com/cortex-sizing-calculator

eg. i know that i have 100 logs per second on average over the course of a day (20gb/day), and i know my traffic log allows for 30GB of storage, so i can store up to 1,5 days worth of logs

hope this helps