Frequently Asked Questions About Security Analytics and Logging License
Which data gets counted against my Security Analytics and Logging allotment?
All events sent to the Cisco cloud directly or to the Secure Event Connector accumulate in Security Analytics and Logging and count against your data allotment.
Filtering the events viewer does not decrease the number of stored events in Security Analytics and Logging. It only reduces the number of events visible to you in the events viewer.
We're using up our storage allotment quickly, what should I do?
Here are two approaches to address that problem:
-
Consider reducing the number of rules that log events. You can log events from SSL policy rules, security intelligence rules, access control rules, intrusion policies, and file and malware policies. Review what you are currently logging to determine if it is necessary to log events from all of the rules and policies that you have configured.
What happens to my data if my Security Analytics and Logging license expires?
If your paid Security Analytics and Logging license expires, event ingestion from your firewalls stops immediately. However, your existing data remains accessible in the Security Analytics and Logging cloud for a 180-day grace period and if you renew your paid license during this grace period, there is no interruption to your service. If the license is not renewed within these 180 days, all your data is permanently deleted.
If I purchase a Security Analytics and Logging subscription with a 1-year retention period and a 5-year term, will my data be stored for all 5 years?
The retention period defines how long each log is stored. With a 1-year retention period, only the most recent 1-year log data is available at any given time. Log data older than 1 year is overwritten or deleted as new data gets collected. A 5-year term means that data for that duration will continue to be ingested, but the retention limit is applicable to the log data itself.