Event definition and capacity calculation

Unanswered Question
Sep 3rd, 2010


Due to the implementation of a CSM, there are a couple of things that I need to clarify in order to be sure about the Server requirements.

1. What is the definition of an event in a security device? Is it a violation to rules? Is it a connection fail??

2. How could I posibbly know the storage capacity required to handle the events send by an ASA? Is there an especific size for this logs/packets???

Thanks for your comments.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mirober2 Fri, 09/03/2010 - 12:53

Hi Douglas,

The events from the ASA are simply the syslogs that are generated by the firewall. However, certain syslogs are "deeply parsed" by CSM to provide additional details. Here is a list of syslogs that are deeply parsed (the rest are displayed as raw syslog data):


As for the storage requirements, this will depend on the amount/level of logs that are generated by your ASA.

Hope that helps.


dbarboza27 Fri, 09/03/2010 - 15:20

Hi mirober2,

Thanks for the link,

I found the following reference:

A 2TB disk can store less than eight weeks of events at the rate of 5,000 events/sec. with an average size of 250 bytes compressed per event.

I will use this info to define the server to install the CSM.



This Discussion