cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

611
Views
5
Helpful
3
Replies
Highlighted
Beginner

Logging events via third party

Under the ACP logging menu, if you have the syslog alert variable set, does that mean that in addition to sending the same event logs to the FMC, it also sends the same syslog to what you configure as?

 

If so, what syslog servers do you guys use that provide the same functionality as the FMC where you can search based on items such as source IP and block reason.

 

I find the fmc is nice for the short term but doesn't retain data long enough. Could it be that the FMC needs to be reconfigured to retain more data?

3 REPLIES 3
Highlighted
Hall of Fame Guru

Customers who require extended log retention typically use something like Splunk ($$$) or, if they have some time to setup an open source solution, something like greylog or ELKstack.

Another option is to switch over to CDO management and use Cisco's recently-introduced Security Analytics and Logging (SAL) service. It retains 90 days of events and pricing is based on volume.

Highlighted

Thanks. Does the logging get sent to the FMC still if external syslog is configured or does that override FMC? How can I ensure my fmc is configured to allow its max potential to store logging data or retention period.

Highlighted

Logging will still be sent to FMC as long as your rule entries have the selection for "event viewer" in their logging setting:

ACP Rule logging settings.PNG

By default the system divides up the available database storage space to favor security-related logs vs pure connection events. You can see the settings as follows:

System database settings.PNG

Each FMC platform has different capacity to store logs. The data sheets list that specification.

Content for Community-Ad