Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5521
Views
15
Helpful
3
Replies

Reporting for firepower and log retention

Go to solution
marine253
Level 1
Level 1

‎08-22-2018 10:03 PM - edited ‎03-12-2019 06:54 AM

Hello , 

My customer is planning to purchase 2 Cisco Firepower 4120 with IPS. 

 

I got confused regarding logging/reporting. We need to store logs for 1 year because of compliance.

 

We need reporting for the firepower ( IPS,firewall -Allow/Deny,Malware etc..).

 

Is the Firepower management center enough for the above? Or is another product required?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mikael Gustafsson
Level 5
Level 5

‎08-22-2018 11:17 PM

You get reports from the FMC, you set up the report you need and the FMC will generate that. 

 

But as firewalls generate a lot of log I would recommend to send it of to a syslog server for storage. FMC is not really suitable for log storage over time.

 

Plus side with sending syslog to a log server is that if you use for example spunk it is easier to correlate with other products that would send logs there as well. 

 

HTH

View solution in original post

3 Replies 3

Go to solution
Mikael Gustafsson
Level 5
Level 5

‎08-22-2018 11:17 PM

You get reports from the FMC, you set up the report you need and the FMC will generate that. 

 

But as firewalls generate a lot of log I would recommend to send it of to a syslog server for storage. FMC is not really suitable for log storage over time.

 

Plus side with sending syslog to a log server is that if you use for example spunk it is easier to correlate with other products that would send logs there as well. 

 

HTH

Go to solution
marine253
Level 1
Level 1
In response to Mikael Gustafsson

‎08-23-2018 05:27 AM

thanks. Will look into the syslog option too.

0 Helpful

Go to solution
AlexPi
Level 1
Level 1

‎08-23-2018 02:21 AM - edited ‎08-23-2018 02:22 AM

As far as I am aware you cannot add within a time frame how long back the logs go, you can specify by number of events, per type. Also the local database is limited as to how many events per type it can hold, depending on the device: 
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118012-troubleshoot-firesight-00.html

https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-801...

 

Note that if you go close to the limits or surpass them it can cause the FMC to slow down as well, in some cases.

 

Ideally you would want to use an external database and a third party logging tool (Splunk, etc.).

 

Hope this helps.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card