ASA FireSIGHT not keeping event logs

Butler741 · ‎11-29-2016

I have version 6.1 of the FireSIGHT / FirePOWER and everything is running as expected.
How ever my user event logs only keep 1 or 2 days at a time. I want a long running history of the usage.

I have the "System" "Configuration" "Database" completely maxed out for what it will accept, and yet I still cannot see what people's events were more than 2 days ago.

Any advice?

Pujita Patni · ‎12-08-2016

Hi,

You can look at the Database Event Limit here based on what hardware model you are using for FMC:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Management_Center_System_Configuration.html#concept_C94E9492C76E4CCC9100B3139C7CF771

If you are getting connection events in 2 days more than what the device can hold, you will have to look for alternate options to store the events like syslog, estreamer, getting a bigger hardware etc.

Thanks,

Pujita Patni

Rate if it helps !

Butler741 · ‎12-09-2016

Pujita,

Thank you for your response.

I am using the Virtual Management Center and it appears that I can store 49,000,000 Connection Events. I have around 1200 users so that will get filled up pretty quickly as everything seems to be getting captured.

I did try to send the connection events to a syslog server, but the information isn't very usable in that format.

I think if I could just log websites and not the large amount of other connections that occur I would have the information I am looking to capture while reducing the database size.

Any suggestions?