Event definition and capacity calculation

Unanswered Question
Sep 3rd, 2010

Hi,


Due to the implementation of a CSM, there are a couple of things that I need to clarify in order to be sure about the Server requirements.


1. What is the definition of an event in a security device? Is it a violation to rules? Is it a connection fail??


2. How could I posibbly know the storage capacity required to handle the events send by an ASA? Is there an especific size for this logs/packets???


Thanks for your comments.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mirober2 Fri, 09/03/2010 - 12:53

Hi Douglas,


The events from the ASA are simply the syslogs that are generated by the firewall. However, certain syslogs are "deeply parsed" by CSM to provide additional details. Here is a list of syslogs that are deeply parsed (the rest are displayed as raw syslog data):


http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/evntchap.html#wp191617


As for the storage requirements, this will depend on the amount/level of logs that are generated by your ASA.


Hope that helps.


-Mike

dbarboza27 Fri, 09/03/2010 - 15:20

Hi mirober2,


Thanks for the link,


I found the following reference:



A 2TB disk can store less than eight weeks of events at the rate of 5,000 events/sec. with an average size of 250 bytes compressed per event.


I will use this info to define the server to install the CSM.


Regards

Actions

This Discussion