Which of the following statements is true about network traffic event logging in Cisco FireSIGHT Management Center? (Select the best answer.)
- Beginningofconnection events contain less information than endofconnection events.
- Performance is optimized by logging both beginningofconnection events and end ofconnection events.
- You can log only beginningofconnection events for encrypted connections handled by an SSL policy.
- You can log only endofconnection events for blocked traffic.
In Cisco FireSIGHT Management Center, beginningofconnection events contain less information than endofconnection events. Cisco FireSIGHT Management Center, which was formerly called Sourcefire Defense Center, can log beginningofconnection and endofconnection events for various types of network traffic.
Although most network traffic will generate both kinds of events, blocked or blacklisted traffic is typically denied without further processing and therefore only generates beginningofconnection events. Beginningofconnection events contain a limited amount of information because they are generated based on the information contained in the first few packets of a connection.
By contrast, endofconnection events are generated when a connection closes, times out, or can no longer be tracked because of memory constraints. Endofconnection events contain significantly more information than beginningofconnection events because they can draw upon data collected throughout the course of a connection. This additional information can be used to create traffic profiles, generate connection summaries, or graphically represent connection data. In addition, the data can be used for detailed analysis or to trigger correlation rules based on session data. Endofconnection events are also required to log encrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not enough information in the first few packets to indicate that a connection is encrypted.