Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1923
Views
5
Helpful
2
Replies

Cisco Firepower Management Center 1600 Chassis event logs

Go to solution
laurathaqi
Level 3
Level 3

‎04-06-2021 08:33 AM

Dear community, 

 

I have installed the noted 1600 Chassis FMC Physical and now is in Production. However, I noted that the events from a week ago do not show there anymore. Did some research to know were the logs are saved and for how long, and found some information but its quite hard to decipher it. 

 

Current FMC setup has no syslog configured. So I wanted to ask about the traffic of the users. What are the number of events that this machine saved in regards the users/hosts/servers etc of the organization traffic.  

The information I found is: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/system_configuration.html#concept_C94E9492C76E4CCC9100B3139C7CF771 

 

Another question I have is: "What are best practices on saving these logs"? With this I mean: "log server/resources" is there some guides to setup this in regards the FMC, and/or specifying what logs should be saved as a best to have info in regards the users traffic etc.! 

 

Looking forward to hearing your thoughts or suggestions. 

 

Thank you, 

Laura 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-14-2021 01:15 AM

Larger FMC appliances have higher limits regarding event storage.

Some customers elect to send events to a separate box - centralized syslog server or SIEM for example. That's either for archival or integration purposes (i.e., something like Splunk with added tools to correlate events from firewall and other systems).

Still others don't use FMC at all and instead use CDO (cloud-based management alternative) with the SAL add-on. However you give up the FMC features in lieu of CDO ones and pay a recurring fee. SAL stores events for 90 days (with fee based on the volume).

There is also the option (with the latest releases) of on-premise SAL with a Secure Network Analytics (SNA, formerly Stealthwatch Enterprise) to store your events.

View solution in original post

2 Replies 2

Go to solution
laurathaqi
Level 3
Level 3

‎07-14-2021 12:00 AM

Hi all,

 

Please find following reference as a solution to this problem. 

https://community.cisco.com/t5/network-security/fmc-limit-of-events/td-p/2917630

 

Hope it helps someone. 

 

Best wishes,

Laura

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-14-2021 01:15 AM

Larger FMC appliances have higher limits regarding event storage.

Some customers elect to send events to a separate box - centralized syslog server or SIEM for example. That's either for archival or integration purposes (i.e., something like Splunk with added tools to correlate events from firewall and other systems).

Still others don't use FMC at all and instead use CDO (cloud-based management alternative) with the SAL add-on. However you give up the FMC features in lieu of CDO ones and pay a recurring fee. SAL stores events for 90 days (with fee based on the volume).

There is also the option (with the latest releases) of on-premise SAL with a Secure Network Analytics (SNA, formerly Stealthwatch Enterprise) to store your events.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card