Skip to main content



Cisco Defense Orchestrator

Security Analytics and Logging Event Storage

Data Storage Plans 

You need to buy a data plan that reflects the number of events the Cisco cloud receives from your on-boarded FTDs on a daily basis. This is called your "daily ingest rate." You can use the Logging Volume Estimator Tool to estimate your daily ingest rate and as that rate changes you can update your data plan. 

Caution: It is possible to configure your FTD to send events to the Cisco cloud directly and by way of the Secure Event Connector simultaneously. If you do this, the same event will be "ingested" twice and counted against your data plan twice, though it will only be stored in the Cisco cloud once. Be careful to send events to the Cisco cloud using one method or the other to avoid incurring unnecessary fees. 

Data plans are available in 1, 5, 10, 15 or 25 GB daily volumes, and in 1, 3 or 5 year terms. See the Cisco Security Analytics and Logging Ordering Guide for information about data plans.

Note: If you have a Security Analytics and Logging license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different Security Analytics and Logging license.

Data Allotment and Data Usage

To see the amount of data you have subscribed to, how much you have used, and how many days you have until the end of the billing period: 

  1. Click the account menu and select Settings.


  1. Click Logging Settings. The logging storage information shows your monthly logging limit, the amount of storage you have used, and when the usage period resets to zero.

Data Retention

Event data is stored for 90 days, regardless of how much data storage you have subscribed to. Each day, the event logs from the 91st day are deleted. 

Requesting Additional Storage Capacity

To request additional storage:

  1. Click the account menu and select Settings.
  2. Click Logging Settings.
  3. Click the link for Request Additional Storage. In the email, include your contact information and tenant name.

What data gets counted against my allotment?

All events sent to the Secure Event Connector accumulate in the Cisco Security Analytics and Logging cloud and count against your data allotment.

Filtering what you see in the Events viewer does not decrease the number of events stored in the Cisco Security Analytics and Logging cloud, it reduces the number of events you can see in the Events viewer.

Your events are stored in the Cisco Security Analytics and Logging cloud for 90 days; after that, they are purged. 

We're using up our storage allotment quickly, what can we do?

Here are two approaches to address that problem:

  • Request more storage. You may have underestimated what you need.
  • Reduce the number of rules that log events. You can log events from SSL policy rules, security intelligence rules, access control rules, as well as intrusion policies and file and malware policies. Examine what you are logging. Do you need to log events from as many rules and policies as you think?