cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1665
Views
5
Helpful
3
Replies

FMC 6.0 down - What happens with the logging?

ruben.omez
Level 1
Level 1

Hi all,

I have following question: What happens with the logs of the sensors when your FMC (Firepower Management Center) is down?

I expect that the sensor stores the logs locally, until the FMC is up again.

If yes, how long can the sensor store these log-files locally? (diskspace, ...)

Is there any document about this? I do not find this kind of information in the release notes or admin-guide...

Thanks.

1 Accepted Solution

Accepted Solutions

yogdhanu
Cisco Employee
Cisco Employee

Hi

If the FMC is down or there is communication issue between sensor and FMC , sensor does store logs locally and tries to send them all together once communication is up.

But yes there is a limit based on different models and  disk space available on them.

Ideally disk space should not cross 85%  of usage and if it does , older events are pruned.

So the bigger device would store more events , then smaller ones.

View solution in original post

3 Replies 3

yogdhanu
Cisco Employee
Cisco Employee

Hi

If the FMC is down or there is communication issue between sensor and FMC , sensor does store logs locally and tries to send them all together once communication is up.

But yes there is a limit based on different models and  disk space available on them.

Ideally disk space should not cross 85%  of usage and if it does , older events are pruned.

So the bigger device would store more events , then smaller ones.

Thanks for your help!

Do you know, is this behavior described in a document?

Sorry Not aware of any such document.

However , you can check this article about troubleshooting disk utilization issues.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118719-technote-firesight-00.html

This does mention of situations where  communication with manager is down and excessive events are being generated and stored.

So in the end the ,limit  depends on available memory of the sensor.

Review Cisco Networking for a $25 gift card