How to Filter FirePower logs to reduce license usa...

smallfry · ‎05-02-2019

Hi everyone. As you know, FirePower produces tons of logs that took up the expensive Splunk licensing. I filtered out a lot of Windows event logs and would like to do the same for FirePower. Any recommendations as to what to filter, such as those that took up lots of space but are not really useful?

douglashurd · ‎05-22-2019

One of our architects here in Cisco tells me that he eliminates DNS requests (Connection Events) from logging and sees a massive reduction.

hughkelley · ‎09-15-2023

Are you saying that you eliminate DNS logging from eStreamer only or that you don't log it at all (in the firewall)? I'm trying to find a way to keep logging it in Firepower but not pulling it into Splunk via eStreamer.

DavidHourani · ‎05-03-2019

Hi @smallfry,

What's useful or not really depends on your policy, best way to go about this is to take a couple of weeks of logs and run them through security teams and see what are their requirements.

If there are no requirements then I suggest increasing the syslog facility level for logging and log alerts/warnings only for a start and if that's not enough then go for the other levels as well. FirePower is very flexible for when it comes to logging so you can even do that on a rule base and remove any non-priority subnets from the logging.

Cheers,
David

How to Filter FirePower logs to reduce license usage?

configuration

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?