Connections That Are Always Logged
Unless you disable connection event storage, the system automatically saves the following end-of-connection events to the Cisco Defense Orchestrator database, regardless of any other logging configurations.
Connections Associated with Intrusions
The system automatically logs connections associated with intrusion events, unless the connection is handled by the access control policy's default action.
When an intrusion policy associated with the access control default action generates an intrusion event, the system does not automatically log the end of the associated connection. Instead, you must explicitly enable default action connection logging. This is useful for intrusion prevention-only deployments where you do not want to log any connection data.
However, if you enable beginning-of-connection logging for the default action, the system does log the end of the connection when an associated intrusion policy triggers, in addition to logging the beginning of the connection.
Connections Associated with File and Malware Events
The system automatically logs connections associated with file and malware events.
Note | File events generated by inspecting NetBIOS-SSN (SMB) traffic do not immediately generate connection events because the client and server establish a persistent connection. The system generates connection events after the client or server ends the session. |
Connections Associated with Intelligent Application Bypass
The system automatically logs bypassed and would-have-bypassed connections associated with IAB.
Monitored Connections
The system always logs the ends of connections for monitored traffic, even if the traffic matches no other rules and you do not enable default action logging. For more information, see Logging for Monitored Connections.