topic Events are pruning too quickly!! in Network Security

Events are pruning too quickly!!

confused_guy45 — Tue, 14 Jun 2016 13:42:25 GMT

Hello,

I'm inside of the Firepower Management Center (in the connection summary, looking at my URL tab) just monitoring traffic, but I've noticed that events are pruning very quickly. What I mean is that it is categorizing Traffic by URL Category such as Music, Business and Economy, and even Adult and Pornography, but if I click on them to see who was looking at what, I get this message.

Info

Event counts may differ from Dashboard as events are pruned.

No Records

Try adjusting the time window. Note that older records may have been pruned to conserve disk space.

This is just for the previous hour. I've increased the database limit/event count to what I thought was the maximum based on some Googling I did, but I haven't had any luck monitoring this. What do you recommend I should try next?

Hi It could just be that too

yogdhanu — Tue, 14 Jun 2016 13:50:35 GMT

Hi It could just be that too many events are being generated which are making the database limit reach. What you can do is to reduce the no. of logging.

Check each rule and make sure that logging is enabled only once either at beginning or end of connection but not both.

If there are still too many connections, disable logging on default rule.

Overall it would depend on which model of FMC you have and how many sensors are there.

Rate if helps.

Yogesh

Hi ,

Aastha Bhardwaj — Tue, 14 Jun 2016 16:37:19 GMT

Hi ,

Refer : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118012-troubleshoot-firesight-00.html

Probably the amount of traffic that is being logged is causing the issue.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hello Team,

Jetsy Mathew — Wed, 15 Jun 2016 05:45:31 GMT

Hello Team,

What is the Firesight model that you have ?

Based on the fIresight model there is a minimum and maximum database limit that can be used.

Database limit can be set under system policy settings. Please verify what is your connection events database limit under system policy.

Also let us know the model of the Firesight. Based on the models the limits varies.

Rate if this answer helps you.

Regards

Jetsy

Thank you. I believe I'm at

confused_guy45 — Wed, 15 Jun 2016 21:15:15 GMT

Thank you. I believe I'm at the maximum limit for my model, so it seems strange!

Very common issue in this

evan.chadwick1 — Thu, 04 Aug 2016 02:24:36 GMT

Very common issue in this product in my opinion. Far too easy to exceed.

After about a week in production you need to spend time trimming out logging of high hitting flows.

The overview page can quickly show you the top hitters. Case by case basis really.

Do you really need all the flows of traffic like kerberos, ldap, dns (maybe), reply connections to http (yes a separate flow for the reply from an outbound http connection = exhaustion quickly).

So a search in Event Connections with source port of 80 or 443 and destination of your internal network.