Connection Events Appear to Disappear from the FireSIGHT Management Center

Available Languages

Updated:May 20, 2015
Document ID:118012

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to determine the root cause and troubleshoot the issue when connection events disappear from the FireSIGHT Management Center after the system runs for several days. It might happen due to the configuration settings of the management center.

Prerequisites

Requirements

Cisco recommends that you have knowledge of FireSIGHT Management Center.

Components Used

The information in this document is based on these hardware and software versions:

  • FireSIGHT Management Center
  • Software Version 5.2 or later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Troubleshoot

Step 1: Determine the Number of Stored Events

In order to determine the number of Connection Events that are stored on a FireSIGHT Management Center,

  1. Choose Analysis > Connections > Table View of Connection Events.
  2. Expand the Time Window to a wide range that encompasses all current events, for example 12 months.
  3. Note the total number of rows at the bottom of the page. Click the last page and note the time stamp of the last available Connection Event.

This information gives you an idea of how many and how long you are able to retain Connection Events with your current configuration.

Step 2: Determine the Logging Option

Review which connections are being logged, and where in the flow that connections are logged. You should log connections in accordance with the security and compliance needs of your organization. If your goal is to limit the number of events you generate, only enable logging for the rules critical to your analysis. However, if you want a broad view of your network traffic, you can enable logging for additional access control rules or for the default action. You can disable Connection Logging for non-essential traffic in order to help retain Connection Events for a longer period of time.

Tip: In order to optimize performance, Cisco recommends that you log either the beginning or the end of the connection, but not both.

Note: For a single connection, the end-of-connection event contains all of the information in the beginning-of-connection event as well as information that was gathered over the duration of the session. For Trust and Allow rules, it is recommended that End-of-Connection is used.

This chart explains the different logging options available for each Rule Action:

 Rule Action or Logging Option  Log at Beginning  Log at End

 Trust

 Default Action: Trust

  X  X

 Allow

 Default Action: Intrusion

 Default Action: Discovery

  X  X
 Monitor    X (Required)

 Block

 Block with Reset

 Defaut Action: Block

  X  

 Interactive Block

 Interactive Block with Reset

  X  X (If Bypassed)
 Security Intelligence  X  

Step 3: Adjust the Size of the Connection Database

Connection events are pruned dependent upon the Maximum Connection Events setting in the system policy. In order to change the setting:

  1. Choose System > Local > System Policy.
  2. Click the pencil icon in order to edit the currently applied policy.
  3. Choose Database > Connection Database > Maximum Connection Events.
  4. Change the value for Maximum Connection Events.
  5. Click Save Policy and Exit, and then Apply the policy to your appliances.

The maximum amount of Connection Events that can be stored depends on the Management Center model:

Note: The maximum event limit is shared between connection events and Security Intelligence events; the sum of configured maximums for the two events cannot exceed the maximum event limit.

Management Center Model Maximum Number of Events
FS750, DC750 50 million
FS1500, DC1500 100 million
FS2000 300 million
FS3500, DC3500 500 million
FS4000 1 billion
Virtual Appliance 10 million

Caution: An increase in the Database Limits can have an adverse performance impact on the device. In order to improve performance, you should tailor event limits to the number of events you regularly work with.

For widgets that display event counts over a time range, the total number of events might not reflect the number of events for which detailed data is available in the event viewer. This occurs because the system sometimes prunes older event details to manage disk space usage. In order to minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment.

Related Information

Revision History

Revision Publish Date Comments
1.0
20-May-2015
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Nazmul Rajib
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products