Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
5
Helpful
3
Replies

FMC 6.0 down - What happens with the logging?

Go to solution
ruben.omez
Level 1
Level 1

‎05-02-2016 01:53 AM - edited ‎03-10-2019 06:36 AM

Hi all,

I have following question: What happens with the logs of the sensors when your FMC (Firepower Management Center) is down?

I expect that the sensor stores the logs locally, until the FMC is up again.

If yes, how long can the sensor store these log-files locally? (diskspace, ...)

Is there any document about this? I do not find this kind of information in the release notes or admin-guide...

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎05-02-2016 02:02 AM

Hi

If the FMC is down or there is communication issue between sensor and FMC , sensor does store logs locally and tries to send them all together once communication is up.

But yes there is a limit based on different models and  disk space available on them.

Ideally disk space should not cross 85%  of usage and if it does , older events are pruned.

So the bigger device would store more events , then smaller ones.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎05-02-2016 02:02 AM

Hi

If the FMC is down or there is communication issue between sensor and FMC , sensor does store logs locally and tries to send them all together once communication is up.

But yes there is a limit based on different models and  disk space available on them.

Ideally disk space should not cross 85%  of usage and if it does , older events are pruned.

So the bigger device would store more events , then smaller ones.

0 Helpful

Go to solution
ruben.omez
Level 1
Level 1
In response to yogdhanu

‎05-02-2016 02:38 AM

Thanks for your help!

Do you know, is this behavior described in a document?

0 Helpful

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to ruben.omez

‎05-02-2016 02:51 AM

Sorry Not aware of any such document.

However , you can check this article about troubleshooting disk utilization issues.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118719-technote-firesight-00.html

This does mention of situations where  communication with manager is down and excessive events are being generated and stored.

So in the end the ,limit  depends on available memory of the sensor.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card