Hi everyone. As you know, FirePower produces tons of logs that took up the expensive Splunk licensing. I filtered out a lot of Windows event logs and would like to do the same for FirePower. Any recommendations as to what to filter, such as those that took up lots of space but are not really useful?
What's useful or not really depends on your policy, best way to go about this is to take a couple of weeks of logs and run them through security teams and see what are their requirements.
If there are no requirements then I suggest increasing the syslog facility level for logging and log alerts/warnings only for a start and if that's not enough then go for the other levels as well. FirePower is very flexible for when it comes to logging so you can even do that on a rule base and remove any non-priority subnets from the logging.