Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5040
Views
15
Helpful
4
Replies

Logging recommendations

Go to solution
m.yost
Level 1
Level 1

‎05-24-2016 07:58 AM - edited ‎03-12-2019 06:01 AM

Are there any recommendations as to when you should choose to log at the beginning or end?  I know in some circumstances, the only option is at the beginning due to the packet being dropped, but what about in other situations?  

For example, I have an access-control rule that has the Balanced Security and Connectivity IPS policy set and a custom File Policy.  The action is set to Allow which should still block bad stuff if it goes through.  Is it better to log at the beginning or end?

My default action for this policy is Network Discovery only.  Is it better to log at the beginning or end?

The only other place I have logging enabled is in the SSL policies and you can only log at the end.

The problem is that I ran into an issue where FMC seemed to have very few events (like maybe an hours worth) whereas previously I had days worth so I have a feeling I have too much logging toggled now.  Running the virtual appliance which looks like it maxes at 10M connection events.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to m.yost

‎05-24-2016 11:17 AM

If you need to see whats going on in the network and keep track, you can have logging enabled.

I would suggest to use End-of-Connection in there as well.

For SSL policy you can  have it with end of connection as the SSL policy needs to make decision and then log which will be better.

Rate if helps.

Yogesh

View solution in original post

4 Replies 4

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎05-24-2016 09:02 AM

Hi

For a single connection, the end-of-connection event contains all of the information in the beginning-of-connection event as well as information that was gathered over the duration of the session. For Trust and Allow rules, it is recommended that End-of-Connection is used.

Rate if helps.

Yogesh

Go to solution
m.yost
Level 1
Level 1
In response to yogdhanu

‎05-24-2016 11:09 AM

What if Network Discovery Only is your default action in the access policy?  Should that be logged or not and if so, at the beginning or end?

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to m.yost

‎05-24-2016 11:17 AM

If you need to see whats going on in the network and keep track, you can have logging enabled.

I would suggest to use End-of-Connection in there as well.

For SSL policy you can  have it with end of connection as the SSL policy needs to make decision and then log which will be better.

Rate if helps.

Yogesh

Go to solution
m.yost
Level 1
Level 1
In response to yogdhanu

‎05-26-2016 06:37 AM

Thanks for the info.  I made the necessary tweaks and I'm only getting ~20 hours of connection events.  If I look at the # of rows in Connection events, its only a little over 1 million and the virtual FMC appliance should be able to do 10 Million between connection events and Security Intelligence Events (there are no events in here).  I have a TAC case open to see what the deal is.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card