cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7532
Views
1
Helpful
9
Replies

Log Rotation For Cisco FMC

Secure_M10
Level 1
Level 1

Hi,

 

I want to check the current log rotation for my FMC & how can i change it if required. 

In other words i need to understand the period for which FMC is retaining logs for the logical devices.

 

Thanks

1 Accepted Solution

Accepted Solutions

When we discuss "logs" in FMC we are generally speaking about what is called events in Firepower nomenclature. FMC does not have a time period after which events are deleted - rather it has a configurable set of event categories that are retained by total number of events, up to the platform maximum. you can see the number in your FMC under System > Configuration> Database as shown below.

 

The total number of events for all categories varies by platform and can be seen in the FMC product data sheet. They used to publish the number of events and now they just publish the overall database size. For an FMCv, the total is around 10 million events cumulative.

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

 

 

FMC Events database settings.PNG

View solution in original post

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

here is Logging config :

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

 

box will overwrite once the size reaches, instead you can offload to syslog and retain them as long as you want (depends on disk space available on syslog)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the link but i am looking for the configuration/view for FMC logs.. ... i want to understand for how long FMC retains these logs without offloading to syslog

When we discuss "logs" in FMC we are generally speaking about what is called events in Firepower nomenclature. FMC does not have a time period after which events are deleted - rather it has a configurable set of event categories that are retained by total number of events, up to the platform maximum. you can see the number in your FMC under System > Configuration> Database as shown below.

 

The total number of events for all categories varies by platform and can be seen in the FMC product data sheet. They used to publish the number of events and now they just publish the overall database size. For an FMCv, the total is around 10 million events cumulative.

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

 

 

FMC Events database settings.PNG

Thank You Marvin... i was looking for this particular data only
so if i understand this correctly.. data pruning will start once the connection events or any type of events such as IPS, File collectively reach above 10 million..
Also, In the data sheet .. 10 million is mentioned against IPS Events only and the event storage space is mentioned as 250 GB ..so does this still mean that cumulative 10 million will be given preference even if the event size is below 250GB ?

The limits configured in the FMC screen I showed are the governing ones regarding pruning. When the number of events in a given category exceeds the configured limit, FMC will begin deleting the oldest events in order to ingest newest ones.

The numbers in the data sheet regarding database size in GB are more for relative capacity comparison.

 

Hi marvin,

10 million events is events per second or total of any irresopective min/hours/days

Those are number or events.

There is a separate limit for events per second (EPS) - the limit is published in the product data sheet. The EPS over time can be seen in the FMC health monitor on newer releases.

As per datasheet fmcv stores upto 10 million logs. It is eps or total events it can stored. PFA snapshot where figures enters here it is eps or total it can bear 

The numbers in the database settings are events per particular type. The default values add up to almost the total number of events supported for the entire database (10 million).

An FMCv supports an ingest rate of approximately 5000 events per second.

Review Cisco Networking for a $25 gift card