Solved: FMC - Limit of Events

crusier2015 · ‎05-12-2016

Hi,

As guide of FMC 6, the limit of events is 10 milion (on Virtual Management Center) of rows, so when this limit is reached FMC start the pruning of database, and clear the older rows.

Is there anyway to increase this limit?

TKs

Jetsy Mathew · ‎08-07-2016

Hello Team,

For the Virtual applance, the maximum limit is 10 million.An increase in the Database Limits can have an adverse performance impact on the device. In order to improve performance, you should tail or event limits to the number of events you regularly work with.For widgets that display event counts over a time range, the total number of events might not reflect the number of events for which detailed data is available in the event viewer. This occurs because the system sometimes prunes older event details to manage disk space usage. In order to minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment. For all kind of events, once its reaches the limit the pruner service will be active and it will start pruning the events.

Helpful ink :-

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593

Rate and mark correct if the post helps you

Regards

Jetsy

View solution in original post

Aastha Bhardwaj · ‎05-12-2016

Hi ,

You cannot increase this limit , this is the maximum limit . Though you can play around the values under : System >Local>Configuration>Database, 10 million is the maximum limit for connection + SI + malware etc , you can change the values accordingly.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

crusier2015 · ‎08-06-2016

Hi,

I set my fmc to 9 million of rows for connections events. The limit was reached now is around 10 million of rows, and what will happing? The fmc will clear all database , or it will clear the older rows until reach the 9million again?

tks

Pujita Patni · ‎08-06-2016

Hi,

The FMC will clear the older rows as it gets new data in the database limit.

It will not clear the entire database.

Thanks,

Pujita

Rate if it helps !

crusier2015 · ‎08-06-2016

HI,

In this momment the events is showing exactly 10.335.431 rows, if I undertood correctly the FMC dont clear this count , correct? This mean that fmc clear rows from database but dont clear the counts?

Another point, yesterday when fmc was reached the limit (9 million), fmc was not showing any events, only after 12 hours fmc back to show old and current events. Is it normal?

Tks

Jetsy Mathew · ‎08-07-2016

Hello Team,

For the Virtual applance, the maximum limit is 10 million.An increase in the Database Limits can have an adverse performance impact on the device. In order to improve performance, you should tail or event limits to the number of events you regularly work with.For widgets that display event counts over a time range, the total number of events might not reflect the number of events for which detailed data is available in the event viewer. This occurs because the system sometimes prunes older event details to manage disk space usage. In order to minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment. For all kind of events, once its reaches the limit the pruner service will be active and it will start pruning the events.

Helpful ink :-

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593

Rate and mark correct if the post helps you

Regards

Jetsy

evan.chadwick1 · ‎08-15-2016

How does your gui perform with 9 million setting?

I've only gone for 3.5 million on my FMC 4000.

To get more out of your database you can apply rules to not log certain flows. For eg when you log an flow for outbound internet http request, you'll also log a separate flow fro the reply. Do you need this?