topic Re: Logging events via third party in Network Security

Logging events via third party

ryan14 — Thu, 20 Feb 2020 13:36:30 GMT

Under the ACP logging menu, if you have the syslog alert variable set, does that mean that in addition to sending the same event logs to the FMC, it also sends the same syslog to what you configure as?

If so, what syslog servers do you guys use that provide the same functionality as the FMC where you can search based on items such as source IP and block reason.

I find the fmc is nice for the short term but doesn't retain data long enough. Could it be that the FMC needs to be reconfigured to retain more data?

Re: Logging events via third party

Marvin Rhoads — Thu, 20 Feb 2020 14:08:59 GMT

Customers who require extended log retention typically use something like Splunk ($$$) or, if they have some time to setup an open source solution, something like greylog or ELKstack.

Another option is to switch over to CDO management and use Cisco's recently-introduced Security Analytics and Logging (SAL) service. It retains 90 days of events and pricing is based on volume.

Re: Logging events via third party

ryan14 — Thu, 20 Feb 2020 14:44:46 GMT

Thanks. Does the logging get sent to the FMC still if external syslog is configured or does that override FMC? How can I ensure my fmc is configured to allow its max potential to store logging data or retention period.

Re: Logging events via third party

Marvin Rhoads — Fri, 21 Feb 2020 05:10:27 GMT

Logging will still be sent to FMC as long as your rule entries have the selection for "event viewer" in their logging setting:

By default the system divides up the available database storage space to favor security-related logs vs pure connection events. You can see the settings as follows:

Each FMC platform has different capacity to store logs. The data sheets list that specification.