Cisco Cisco Firepower Management Center 4000

You can audit activity on your system in two ways. The appliances that are part of the FireSIGHT System 
generate an audit record for each user interaction with the web interface, and also record system status 
messages in the system log.

The following sections provide more information about the monitoring features that the system provides:

 describes how to view and manage system audit information.

 describes how to view the system log, which contains system 

status messages.

Defense Centers and managed devices with Protection licenses also provide full reporting features that 
allow you to generate reports for almost any type of data accessible in an event view, including auditing 
data. For more information, see 

.

Any

Defense Centers and managed devices log read-only auditing information for user activity. Audit logs 
are presented in a standard event view that allows you to view, sort, and filter audit log messages based 
on any item in the audit view. You can easily delete and report on audit information and can view detailed 
reports of the changes that users make. 

The audit log stores a maximum of 100,000 entries. When the number of audit log entries exceeds 
100,000, the appliance prunes the oldest records from the database to reduce the number to 100,000.

If you reboot a Series 3 appliance, then log into the CLI as soon as you are able, any commands you 
execute are not recorded in the audit log until the web interface is available.

For more information, see the following sections: