Re: Filtering FirePower logs to reduce license usa...

smallfry · ‎05-02-2019

Hi everyone. As you know, FirePower produces tons of logs that took up the expensive Splunk licensing. I filtered out a lot of Windows event logs and would like to do the same for FirePower. Any recommendations as to what to filter, such as those that took up lots of space but are not really useful?

douglashurd · ‎05-22-2019

One of our architects here in Cisco tells me that he eliminates DNS requests (Connection Events) from logging and sees a massive reduction.

hughkelley · ‎09-15-2023

Are you saying that you eliminate DNS logging from eStreamer only or that you don't log it at all (in the firewall)? I'm trying to find a way to keep logging it in Firepower but not pulling it into Splunk via eStreamer.

DavidHourani · ‎05-03-2019

Hi @smallfry,

What's useful or not really depends on your policy, best way to go about this is to take a couple of weeks of logs and run them through security teams and see what are their requirements.

If there are no requirements then I suggest increasing the syslog facility level for logging and log alerts/warnings only for a start and if that's not enough then go for the other levels as well. FirePower is very flexible for when it comes to logging so you can even do that on a rule base and remove any non-priority subnets from the logging.

Cheers,
David

How to Filter FirePower logs to reduce license usage?

configuration

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...