Database Event Limits
The following table lists the minimum and maximum number of records for each event type that you can store on a Cisco Defense Orchestrator.
|
Event Type |
Upper Limit |
Lower Limit |
||
|---|---|---|---|---|
|
Intrusion events |
10 million (CDO Virtual) 20 million (CDO750) 30 million (CDO1500, ) 60 million (CDO2000,, FMCv 300) 150 million (CDO3500) 300 million (CDO4000, ) |
10,000 |
||
|
Discovery events |
10 million (CDO Virtual) 20 million (CDO2000, CDO4000, , FMCv 300) |
Zero (disables storage) |
||
|
Connection events Security Intelligence events |
50 million (CDO Virtual, CDO750) 100 million (CDO1500, ) 300 million (CDO2000, , FMCv 300) 500 million (CDO3500) 1 billion (CDO4000, ) Limit is shared between connection events and Security Intelligence events. The sum of the configured maximums cannot exceed this limit. |
Zero (disables storage) If you set the Maximum Connection Events value to zero, then connection events that are not associated with Security Intelligence, intrusion, file, and malware events are not stored on the CDO.
See below for the effect of this setting on Maximum Flow Rate. These settings do not affect connection summaries. |
||
|
Connection summaries (aggregated connection events) |
50 million (CDO Virtual, CDO750) 100 million (CDO1500, ) 300 million (CDO2000, , FMCv 300) 500 million (CDO3500) 1 billion (CDO4000, ) |
Zero (disables storage) |
||
|
Correlation events and compliance allow list events |
1 million (CDO Virtual) 2 million (CDO2000, , CDO4000, FMCv 300) |
One |
||
|
Malware events |
10 million (CDO Virtual) 20 million (CDO2000,, CDO4000, FMCv 300) |
10,000 |
||
|
File events |
10 million (CDO Virtual) 20 million (CDO2000, , CDO4000, FMCv 300) |
Zero (disables storage) |
||
|
Health events |
1 million |
Zero (disables storage) |
||
|
Audit records |
100,000 |
One |
||
|
Remediation status events |
10 million |
One |
||
|
Allow list violation history |
a 30-day history of violations |
One day’s history |
||
|
User activity (user events) |
10 million |
One |
||
|
User logins (user history) |
10 million |
One |
||
|
Intrusion rule update import log records |
1 million |
One |
||
|
VPN Troubleshooting database |
10 million |
Zero (disables storage) |
Maximum Flow Rate
The Maximum flow rate (flows per second) value for your CDO hardware model is specified in the Platform Specifications section of the CDO datasheet at https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html?cachemode=refresh
If you set the Maximum Connection Events value in platform settings to zero, then connection events that are not associated with Security Intelligence, intrusion, file, and malware events are not counted toward the maximum flow rate for your CDO hardware.
Any non-zero value in this field causes ALL connection events to be counted against the maximum flow rate.
Other event types on this page do not count against the maximum flow rate.