Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5006
Views
5
Helpful
5
Replies

Events are pruning too quickly!!

confused_guy45
Level 1
Level 1

‎06-14-2016 06:42 AM

Hello,

I'm inside of the Firepower Management Center (in the connection summary, looking at my URL tab) just monitoring traffic, but I've noticed that events are pruning very quickly. What I mean is that it is categorizing Traffic by URL Category such as Music, Business and Economy, and even Adult and Pornography, but if I click on them to see who was looking at what, I get this message. 

Info

Event counts may differ from Dashboard as events are pruned.

No Records

Try adjusting the time window. Note that older records may have been pruned to conserve disk space.

This is just for the previous hour. I've increased the database limit/event count to what I thought was the maximum based on some Googling I did, but I haven't had any luck monitoring this. What do you recommend I should try next?

Labels:
0 Helpful
5 Replies 5

yogdhanu
Cisco Employee
Cisco Employee

‎06-14-2016 06:50 AM

Hi It could just be that too many events are being generated which are making the database limit reach. What you can do is to reduce the no. of logging.

Check each rule and make sure that logging is enabled only once either at beginning or end of connection but not both.

If there are still too many connections, disable logging on default rule.

Overall it would depend on which model of FMC you have and how many sensors are there.

Rate if helps.

Yogesh

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to yogdhanu

‎08-03-2016 07:24 PM

Very common issue in this product in my opinion. Far too easy to exceed. 

After about a week in production you need to spend time trimming out logging of high hitting flows. 

The overview page can quickly show you the top hitters. Case by case basis really. 

Do you really need all the flows of traffic like kerberos, ldap, dns (maybe), reply connections to http (yes a separate flow for the reply from an outbound http connection = exhaustion quickly).

So a search in Event Connections with source port of 80 or 443 and destination of your internal network. 

0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎06-14-2016 09:37 AM

Hi ,

Refer : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118012-troubleshoot-firesight-00.html

Probably the amount of traffic that is being logged is causing the issue.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Jetsy Mathew
Cisco Employee
Cisco Employee

‎06-14-2016 10:45 PM

Hello Team,

What is the Firesight model that you have ?

Based on the fIresight model there is a minimum and maximum database limit that can be used.

Database limit can be set under system policy settings. Please verify what is your connection events database limit under system policy. 

Also let us know the model of the Firesight. Based on the models the limits varies. 

Rate if this answer helps you.

Regards

Jetsy

0 Helpful

confused_guy45
Level 1
Level 1
In response to Jetsy Mathew

‎06-15-2016 02:15 PM

Thank you. I believe I'm at the maximum limit for my model, so it seems strange!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card