Skip to main content

 

 

Cisco Defense Orchestrator

Security Analytics and Logging Event Storage

Data Storage Plans 

In addition to a Cisco Security Analytics and Logging Licensing license, you need to buy a data plan that reflects the amount of event storage you think you'll consume on a daily basis. The events from your on-boarded FTD devices are stored in the Cisco Security Analytics and Logging cloud. As your data needs change, you can update your data plan. You can use the Logging Volume Estimator Tool to estimate your traffic and purchase a data plan based on that level of traffic.

If you exceed your data plan, Cisco bills you after the end of the monthly billing period for the overage.

Data Allotment and Data Usage

To see the amount of data you have subscribed to, how much you have used, and how many days you have until the end of the billing period: 

  1. Click the account menu and select Settings.

account_menu.jpg

  1. Click Logging Settings. The logging storage information shows your monthly logging limit, the amount of storage you have used, and when the usage period resets to zero.

Data Retention

Event data is stored for 90 days, regardless of how much data storage you have subscribed to. Each day, the event logs from the 91st day are deleted. 

Requesting Additional Storage Capacity

To request additional storage:

  1. Click the account menu and select Settings.
  2. Click Logging Settings.
  3. Click the link for Request Additional Storage. In the email, include your contact information and tenant name.

What data gets counted against my allotment?

All events sent to the Secure Event Connector accumulate in the Cisco Security Analytics and Logging cloud and count against your data allotment.

Filtering what you see in the Events viewer does not decrease the number of events stored in the Cisco Security Analytics and Logging cloud, it reduces the number of events you can see in the Events viewer.

Your events are stored in the Cisco Security Analytics and Logging cloud for 90 days; after that, they are purged. 

We're using up our storage allotment quickly, what can we do?

Here are two approaches to address that problem:

  • Request more storage. You may have underestimated what you need.
  • Reduce the number of rules that log events. You can log events from SSL policy rules, security intelligence rules, access control rules, as well as intrusion policies and file and malware policies. Examine what you are logging. Do you need to log events from as many rules and policies as you think?