topic Firesight Event Log Archival in Network Security

Firesight Event Log Archival

nrunge1 — Tue, 12 Mar 2019 12:55:04 GMT

I noticed that I was only carrying roughly 1 days worth of connection events in Firesight and increased the max retention from 1 to 10 million. I will have to wait and see but simple math would tell me that will allow me to store 10 days worth of data.

Realistically I need to be able to run reports showing application and web traffic for an employee. These report requests don't come often through HR so I don't want to necessarily keep the records in the active database.

I was curious if there was a way to rollup and archive the event log data for future reporting or any other suggestions people may have for solving my potential problem.

I was told by Cisco that best

nrunge1 — Mon, 07 Mar 2016 21:25:36 GMT

I was told by Cisco that best any appliance is going to do in terms of retention is 30 days. It looks like Sourcefire maintained a Splunk plugin so that is the direction I am headed.

I also have asked Cisco if they can confirm that the plugin still has resources post acquisition.

You should configure a syslog

Dennis Perto — Wed, 09 Mar 2016 09:50:47 GMT

You should configure a syslog server, and send the data you need from Firepower Management Center.

FMC is not intended for logging. 🙂

Well, the device not intended

nrunge1 — Wed, 09 Mar 2016 13:47:18 GMT

Well, the device not intended for "x" definitely seems to be the answer I get every time I find a caveat so I suppose that makes sense :]

I'm sorry about that. I have

Dennis Perto — Wed, 09 Mar 2016 13:50:40 GMT

I'm sorry about that. I have seen too many systems sold as a SIEM solution, but then shit hits the fan, and we can hold the log for a couple of hours.

I have a 5506-X at home sending syslog to a free Graylog2 server. The 5506-X only have a "real time" log.

Don't get me wrong. I like

nrunge1 — Wed, 09 Mar 2016 13:56:02 GMT

Don't get me wrong. I like the platform. Our partner just did a poor job both in selling us the CX and migrating us to FirePower.

I like it 10x better than the 80/443 appliances we had been using before like WebSense. What I don't like are suprises.

If they would have told us we needed a syslog on day one not only would I have bought Splunk but I probably would have tied it into the services engagement.

Instead I'm moving the consulting to a different partner.

I understand. I'm sure that

Dennis Perto — Wed, 09 Mar 2016 14:05:48 GMT

I understand.
I'm sure that you will find a way with a partner you can trust. You can always find guidance here at the support forums, or in the Cisco communities. 🙂