Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

event monitoring archival

I don't understand how my IPS 4240 handles the storage of events. Right now my oldest event is only several hours old. I can understand the circular logging, but it's hard to believe there's only enough room for a few hours, especially when there appears to be free disk space as noted below, unless I'm looking at the wrong partition.

Disk usage

system is using 17.8M out of 29.0M bytes of available disk space (61% usage)

application-data is using 38.9M out of 166.8M bytes of available disk space (25% usage)

boot is using 37.9M out of 68.6M bytes of available disk space (58% usage)


Re: event monitoring archival

You are not alone, we've complained about this as well but haven't received a satisfactory answer. On a busy sensor, the eventstore can rotate quite quickly so you are best to get all the data you can off as soon as you can. Turning on verbose alerting will fill it faster since the eventstore is limited to 30000000 bytes as of 5.1(7).

CreatePlease to create content