Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2703
Views
0
Helpful
6
Replies

Firesight Event Log Archival

nrunge1
Level 1
Level 1

‎02-29-2016 08:24 AM - edited ‎03-12-2019 05:55 AM

I noticed that I was only carrying roughly 1 days worth of connection events in Firesight and increased the max retention from 1 to 10 million. I will have to wait and see but simple math would tell me that will allow me to store 10 days worth of data. 

Realistically I need to be able to run reports showing application and web traffic for an employee. These report requests don't come often through HR so I don't want to necessarily keep the records in the active database.

I was curious if there was a way to rollup and archive the event log data for future reporting or any other suggestions people may have for solving my potential problem.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

nrunge1
Level 1
Level 1

‎03-07-2016 01:25 PM

I was told by Cisco that best any appliance is going to do in terms of retention is 30 days. It looks like Sourcefire maintained a Splunk plugin so that is the direction I am headed. 

I also have asked Cisco if they can confirm that the plugin still has resources post acquisition. 

0 Helpful

Dennis Perto
Level 5
Level 5

‎03-09-2016 01:50 AM

You should configure a syslog server, and send the data you need from Firepower Management Center.

FMC is not intended for logging. :)

0 Helpful

nrunge1
Level 1
Level 1
In response to Dennis Perto

‎03-09-2016 05:47 AM

Well, the device not intended for "x" definitely seems to be the answer I get every time I find a caveat so I suppose that makes sense :]

0 Helpful

Dennis Perto
Level 5
Level 5
In response to nrunge1

‎03-09-2016 05:50 AM

I'm sorry about that. I have seen too many systems sold as a SIEM solution, but then shit hits the fan, and we can hold the log for a couple of hours. 

I have a 5506-X at home sending syslog to a free Graylog2 server. The 5506-X only have a "real time" log. 

0 Helpful

nrunge1
Level 1
Level 1
In response to Dennis Perto

‎03-09-2016 05:56 AM

Don't get me wrong. I like the platform. Our partner just did a poor job both in selling us the CX and migrating us to FirePower.

I like it 10x better than the 80/443 appliances we had been using before like WebSense. What I don't like are suprises.

If they would have told us we needed a syslog on day one not only would I have bought Splunk but I probably would have tied it into the services engagement.

Instead I'm moving the consulting to a different partner.

0 Helpful

Dennis Perto
Level 5
Level 5
In response to nrunge1

‎03-09-2016 06:05 AM

I understand.
I'm sure that you will find a way with a partner you can trust. You can always find guidance here at the support forums, or in the Cisco communities. :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card