Event definition and capacity calculation

Unanswered Question
Sep 3rd, 2010
User Badges:

Hi,


Due to the implementation of a CSM, there are a couple of things that I need to clarify in order to be sure about the Server requirements.


1. What is the definition of an event in a security device? Is it a violation to rules? Is it a connection fail??


2. How could I posibbly know the storage capacity required to handle the events send by an ASA? Is there an especific size for this logs/packets???


Thanks for your comments.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mirober2 Fri, 09/03/2010 - 12:53
User Badges:
  • Cisco Employee,

Hi Douglas,


The events from the ASA are simply the syslogs that are generated by the firewall. However, certain syslogs are "deeply parsed" by CSM to provide additional details. Here is a list of syslogs that are deeply parsed (the rest are displayed as raw syslog data):


http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/evntchap.html#wp191617


As for the storage requirements, this will depend on the amount/level of logs that are generated by your ASA.


Hope that helps.


-Mike

dbarboza27 Fri, 09/03/2010 - 15:20
User Badges:

Hi mirober2,


Thanks for the link,


I found the following reference:



A 2TB disk can store less than eight weeks of events at the rate of 5,000 events/sec. with an average size of 250 bytes compressed per event.


I will use this info to define the server to install the CSM.


Regards

Actions

This Discussion