Solved: Re: FMC/FTD External logging

benolyndav · ‎11-30-2020

HI

We have FTD in HA pair and was wondering does anyone have any ideas on how to calculate how much external logging storage we require.??

Thanks

Karsten Iwen · ‎11-30-2020

The most imnportant question is what you want to log. Logging intrusion events will probably be much less than connection events. And with connection events, do you want to log everything or only "important" events? And how much of these events do you have? A 5506 moving 50 MBit/s is probably less loggin intense than the the fully equippped Firepower9300 moving 150 GBit/s of traffic.

I would set up a simple linux box with a syslog server and just look at the amount of data that arrives there. Even if you won't use syslog and for example you move to estreamer on Splunk, it will give you a rough estimation.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎11-30-2020

The most imnportant question is what you want to log. Logging intrusion events will probably be much less than connection events. And with connection events, do you want to log everything or only "important" events? And how much of these events do you have? A 5506 moving 50 MBit/s is probably less loggin intense than the the fully equippped Firepower9300 moving 150 GBit/s of traffic.

I would set up a simple linux box with a syslog server and just look at the amount of data that arrives there. Even if you won't use syslog and for example you move to estreamer on Splunk, it will give you a rough estimation.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.