How to determine expected logging volumes for ZTNA
Article ID: 435486
Updated On:
Products
Issue/Introduction
ZTNA admin wants to enable event streaming for both ZTNA and ZTNA audit logging (via Cloud SWG Portal).
ZTNA logs will be sent to a Cloud bucket initially where it will be ingested into Splunk.
As part of the project, the Splunk team are asking for the expected logging volumes for ZTNA.
In production setup, there are about 750 users using ZTNA in the past 30 days accessing more than 50 applications setup.
Is there anyway of estimating many GB/day of ZTNA logs would be shipped on average?
Environment
ZTNA.
Log event streaming.
Cloud SWG Portal.
Resolution
To start the process, the ZTNA admin needs to go to the Cloud SWG Portal and run a query under Report Center -> Event viewer. Within this field, you can select the data source and we will need to do so for both ZTNA and ZNTA audit e.g. this is the screen for the ZTNA forensic logs, and you can search it for the week/month.
After the page is rendered, you can export it as a CSV file and get an idea of
- The number of events and
- The size of each event
When exporting to Splunk using event streaming, the admin may decide to send a subset of info over or the full info based on the fields included with the log stream (see below) .. The logs from the previous step will include the full info, so you can estimate the size of the monthly/weekly logs based on this.
This operation needs to be done for both the ZTNA forensic logs and audit logs (audit logs will be a fraction of the forensic logs).
Feedback
