Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17534
Views
5
Helpful
6
Replies

FMC - Limit of Events

Go to solution
crusier2015
Level 1
Level 1

‎05-12-2016 06:30 PM - edited ‎02-21-2020 05:49 AM

Hi,

As guide of FMC 6, the limit of events is 10 milion (on Virtual Management Center) of rows, so when this limit is reached FMC start the pruning of database, and clear the older rows.

Is there anyway to increase this limit?

TKs

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to crusier2015

‎08-07-2016 10:53 PM

Hello Team,

For the Virtual applance, the maximum limit is 10 million.An increase in the Database Limits can have an adverse performance impact on the device. In order to improve performance, you should tail or event limits to the number of events you regularly work with.For widgets that display event counts over a time range, the total number of events might not reflect the number of events for which detailed data is available in the event viewer. This occurs because the system sometimes prunes older event details to manage disk space usage. In order to minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment. For all kind of events, once its reaches the limit the pruner service will be active and it will start pruning the events.

Helpful ink :-

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593

Rate and mark correct if  the post helps you

Regards

Jetsy 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎05-12-2016 09:00 PM

Hi ,

You cannot increase this limit , this is the maximum limit . Though you can play around the values under : System >Local>Configuration>Database, 10 million is the maximum limit for connection + SI + malware etc , you can change the values accordingly.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Go to solution
crusier2015
Level 1
Level 1
In response to Aastha Bhardwaj

‎08-06-2016 02:41 PM

Hi, 

I set my fmc to 9 million of rows for connections events. The limit was reached now is around 10 million of rows, and what will happing? The fmc will clear all database , or it will clear the older rows until reach the 9million again?

tks

0 Helpful

Go to solution
Pujita Patni
Cisco Employee
Cisco Employee
In response to crusier2015

‎08-06-2016 03:12 PM

Hi,

The FMC will clear the older rows as it gets new data in the database limit.

It will not clear the entire database.

Thanks,

Pujita

Rate if it helps !

0 Helpful

Go to solution
crusier2015
Level 1
Level 1
In response to Pujita Patni

‎08-06-2016 07:34 PM

HI,

In this momment the events  is  showing exactly 10.335.431 rows, if  I undertood correctly the FMC dont clear this count , correct? This mean that fmc clear rows from database but dont clear the counts?

Another point, yesterday when fmc was reached the limit (9 million), fmc was not showing any events, only after 12 hours fmc back to show old and current events. Is it normal?

Tks

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to crusier2015

‎08-07-2016 10:53 PM

Hello Team,

For the Virtual applance, the maximum limit is 10 million.An increase in the Database Limits can have an adverse performance impact on the device. In order to improve performance, you should tail or event limits to the number of events you regularly work with.For widgets that display event counts over a time range, the total number of events might not reflect the number of events for which detailed data is available in the event viewer. This occurs because the system sometimes prunes older event details to manage disk space usage. In order to minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment. For all kind of events, once its reaches the limit the pruner service will be active and it will start pruning the events.

Helpful ink :-

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593

Rate and mark correct if  the post helps you

Regards

Jetsy 

0 Helpful

Go to solution
evan.chadwick1
Level 1
Level 1
In response to crusier2015

‎08-15-2016 05:21 PM

How does your gui perform with 9 million setting? 

I've only gone for 3.5 million on my FMC 4000.

To get more out of your database you can apply rules to not log certain flows. For eg when you log an flow for outbound internet http request, you'll also log a separate flow fro the reply. Do you need this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card