04-06-2021 08:33 AM
Dear community,
I have installed the noted 1600 Chassis FMC Physical and now is in Production. However, I noted that the events from a week ago do not show there anymore. Did some research to know were the logs are saved and for how long, and found some information but its quite hard to decipher it.
Current FMC setup has no syslog configured. So I wanted to ask about the traffic of the users. What are the number of events that this machine saved in regards the users/hosts/servers etc of the organization traffic.
The information I found is: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/system_configuration.html#concept_C94E9492C76E4CCC9100B3139C7CF771
Another question I have is: "What are best practices on saving these logs"? With this I mean: "log server/resources" is there some guides to setup this in regards the FMC, and/or specifying what logs should be saved as a best to have info in regards the users traffic etc.!
Looking forward to hearing your thoughts or suggestions.
Thank you,
Laura
Solved! Go to Solution.
07-14-2021 01:15 AM
Larger FMC appliances have higher limits regarding event storage.
Some customers elect to send events to a separate box - centralized syslog server or SIEM for example. That's either for archival or integration purposes (i.e., something like Splunk with added tools to correlate events from firewall and other systems).
Still others don't use FMC at all and instead use CDO (cloud-based management alternative) with the SAL add-on. However you give up the FMC features in lieu of CDO ones and pay a recurring fee. SAL stores events for 90 days (with fee based on the volume).
There is also the option (with the latest releases) of on-premise SAL with a Secure Network Analytics (SNA, formerly Stealthwatch Enterprise) to store your events.
07-14-2021 12:00 AM
Hi all,
Please find following reference as a solution to this problem.
https://community.cisco.com/t5/network-security/fmc-limit-of-events/td-p/2917630
Hope it helps someone.
Best wishes,
Laura
07-14-2021 01:15 AM
Larger FMC appliances have higher limits regarding event storage.
Some customers elect to send events to a separate box - centralized syslog server or SIEM for example. That's either for archival or integration purposes (i.e., something like Splunk with added tools to correlate events from firewall and other systems).
Still others don't use FMC at all and instead use CDO (cloud-based management alternative) with the SAL add-on. However you give up the FMC features in lieu of CDO ones and pay a recurring fee. SAL stores events for 90 days (with fee based on the volume).
There is also the option (with the latest releases) of on-premise SAL with a Secure Network Analytics (SNA, formerly Stealthwatch Enterprise) to store your events.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: