Skip to main content



Cisco Defense Orchestrator

Security Analytics and Logging Event Storage

Data Storage Plans 

You need to buy a data storage plan that reflects the number of events the Cisco cloud receives from your on-boarded ASAs and FTDs on a daily basis. This is called your "daily ingest rate." Data plans are available in whole number amounts of GB/day and in 1, 3 or 5 year terms. The best way to determine your ingest rate is to participate in a free trial of Cisco Security Analytics and Logging (SaaS) before you buy it. This will give you a good estimate of your event volume. 

Customers automatically receive 90 days of rolling data storage. That means that the most recent 90 days of events are stored in the Cisco cloud and the 91st day is deleted.

Customers can upgrade to additional event retention beyond the default 90-days, or add additional daily volume (GB/day) by a change order to an existing subscription, and will only be billed for the remainder of their subscription term on a prorated basis.

See the Cisco Security Analytics and Logging Ordering Guide for all the details about data plans.

Note: If you have a Security Analytics and Logging license and data plan, then obtain a different Security Analytics and Logging license at a later date, you are not required obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different Security Analytics and Logging license.

What data gets counted against my allotment?

All events sent to the Secure Event Connector accumulate in the Cisco Security Analytics and Logging (SaaS) cloud and count against your data allotment.

Filtering what you see in the Events viewer does not decrease the number of events stored in the Cisco Security Analytics and Logging (SaaS) cloud, it reduces the number of events you can see in the Events viewer.

Your events are stored in the Cisco Security Analytics and Logging (SaaS) cloud for 90 days; after that, they are purged. 

We're using up our storage allotment quickly, what can we do?

Here are two approaches to address that problem:

  • Request more storage. You may have underestimated what you need.
  • Reduce the number of rules that log events. You can log events from SSL policy rules, security intelligence rules, access control rules, as well as intrusion policies and file and malware policies. Examine what you are logging. Do you need to log events from as many rules and policies as you think?