Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2106
Views
0
Helpful
3
Replies

FMC Event Viewer

fatalXerror
Level 5
Level 5

ā€Ž09-11-2019 02:49 AM - edited ā€Ž02-21-2020 09:29 AM

Hi, I would like to ask how long does the FMC hold the logs in its Event Viewer log database? And is it configurable?

Thanks

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

ā€Ž09-11-2019 05:28 AM

It's not based on time but number of events. 

For Connection Events and Security Intelligence events (combined) the upper limit is 50 million on an FMCv (release 6.4) and up to 1 billion on an FMC 4000 series. (We expect this to change in Firepower 6.5 - for the better.) The default is 1 million events. You can easily get that many in just a few hours on a moderate size enterprise if you are logging all connections.

You can see and change the settings in FMC under System > Configuration > Database

0 Helpful

fatalXerror
Level 5
Level 5
In response to Marvin Rhoads

ā€Ž09-11-2019 09:35 AM

Hi @Marvin Rhoads, what will happen if it reach the limit? Based on my understanding from you there is no default or automatic purging for the logs in FMC, am I correct? THanks

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fatalXerror

ā€Ž09-12-2019 04:13 AM

The events "roll over" when you reach the limit. That is, the oldest events are dropped out of the tables to make room for the newest ones.

The only thing in Firepower that doesn't behave this way is host discovery. That's why it's important to properly define your $HOME_NET and $EXTERNAL_NET variables.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card