Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7529
Views
1
Helpful
9
Replies

Log Rotation For Cisco FMC

Go to solution
Secure_M10
Level 1
Level 1

‎05-04-2020 05:08 AM

Hi,

 

I want to check the current log rotation for my FMC & how can i change it if required. 

In other words i need to understand the period for which FMC is retaining logs for the logical devices.

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Secure_M10

‎05-04-2020 07:13 AM

When we discuss "logs" in FMC we are generally speaking about what is called events in Firepower nomenclature. FMC does not have a time period after which events are deleted - rather it has a configurable set of event categories that are retained by total number of events, up to the platform maximum. you can see the number in your FMC under System > Configuration> Database as shown below.

 

The total number of events for all categories varies by platform and can be seen in the FMC product data sheet. They used to publish the number of events and now they just publish the overall database size. For an FMCv, the total is around 10 million events cumulative.

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

 

 

FMC Events database settings.PNG

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-04-2020 06:14 AM

here is Logging config :

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

 

box will overwrite once the size reaches, instead you can offload to syslog and retain them as long as you want (depends on disk space available on syslog)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Secure_M10
Level 1
Level 1
In response to balaji.bandi

‎05-04-2020 06:52 AM

Thanks for the link but i am looking for the configuration/view for FMC logs.. ... i want to understand for how long FMC retains these logs without offloading to syslog
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Secure_M10

‎05-04-2020 07:13 AM

When we discuss "logs" in FMC we are generally speaking about what is called events in Firepower nomenclature. FMC does not have a time period after which events are deleted - rather it has a configurable set of event categories that are retained by total number of events, up to the platform maximum. you can see the number in your FMC under System > Configuration> Database as shown below.

 

The total number of events for all categories varies by platform and can be seen in the FMC product data sheet. They used to publish the number of events and now they just publish the overall database size. For an FMCv, the total is around 10 million events cumulative.

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

 

 

FMC Events database settings.PNG

0 Helpful

Go to solution
Secure_M10
Level 1
Level 1
In response to Marvin Rhoads

‎05-04-2020 08:34 AM

Thank You Marvin... i was looking for this particular data only
so if i understand this correctly.. data pruning will start once the connection events or any type of events such as IPS, File collectively reach above 10 million..
Also, In the data sheet .. 10 million is mentioned against IPS Events only and the event storage space is mentioned as 250 GB ..so does this still mean that cumulative 10 million will be given preference even if the event size is below 250GB ?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Secure_M10

‎05-04-2020 09:24 AM

The limits configured in the FMC screen I showed are the governing ones regarding pruning. When the number of events in a given category exceeds the configured limit, FMC will begin deleting the oldest events in order to ingest newest ones.

The numbers in the data sheet regarding database size in GB are more for relative capacity comparison.

 

0 Helpful

Go to solution
Vishal6
Level 1
Level 1
In response to Marvin Rhoads

‎05-30-2024 11:42 PM

Hi marvin,

10 million events is events per second or total of any irresopective min/hours/days

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vishal6

‎05-31-2024 06:19 AM

Those are number or events.

There is a separate limit for events per second (EPS) - the limit is published in the product data sheet. The EPS over time can be seen in the FMC health monitor on newer releases.

0 Helpful

Go to solution
Vishal6
Level 1
Level 1
In response to Marvin Rhoads

‎05-31-2024 06:37 AM

As per datasheet fmcv stores upto 10 million logs. It is eps or total events it can stored. PFA snapshot where figures enters here it is eps or total it can bear 

Preview file
500 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vishal6

‎05-31-2024 06:57 AM

The numbers in the database settings are events per particular type. The default values add up to almost the total number of events supported for the entire database (10 million).

An FMCv supports an ingest rate of approximately 5000 events per second.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card