The Secure Event Connector (SEC) forwards events from ASA and FTD to the Cisco cloud so that you can view them in the Event Logging page and investigate them with Stealthwatch Cloud.
You can install more than one Secure Event Connector (SEC) on your tenant and direct events from your ASAs and FTDs to any of the SECs you install. Having multiple SECs allows you to have SECs installed in different locations and distribute the work of sending events to the Cisco cloud.
Installing an SEC is a two part process. Both parts of the process are described in this article:
- Install a CDO Connector using the CDO image to support the SEC. You need one CDO Connector for every SEC you install. The CDO Connector is different than a Secure Device Connector (SDC).
- Install the Secure Event Connector on the CDO Connector VM.
Note: If you want to create a CDO Connector by creating your own VM, see Install Multiple SECs for Your Tenant Using a VM Image you Create.
1. Install a CDO Connector, to Support an On-Premises SEC, Using the CDO Connector VM Image
Prerequisites for Installing an On-premises CDO Connector
- Purchase the Cisco Security and Analytics Logging, Logging and Troubleshooting license, you may also purchase the Logging Analytics and Detection and Total Network Analytics and Monitoring licenses to apply Stealthwatch Cloud analytics to the events.
If you would rather, you can request a trial version of Security Analytics and Logging by logging in to CDO, and on the main navigation bar, select Monitoring > Event Logging and click Request Trial.
- CDO requires strict certificate checking and does not support Web/Content Proxy inspection between the CDO Connector and the Internet. If using a proxy server, disable inspection for traffic between the CDO Connector and CDO.
- The CDO Connector installed in this process must have full outbound access to the Internet on TCP port 443.
- Review Connect to Cisco Defense Orchestrator using Secure Device Connector to ensure proper network access for the CDO Connector.
- CDO supports installing its CDO Connector VM OVF image using the vSphere web client or the ESXi web client.
- CDO does not support installing the CDO Connector VM OVF image using the VM vSphere desktop client.
- ESXi 5.1 hypervisor.
- System requirements for a virtual machine intended to host only a CDO Connector and an SEC:
- VMware ESXi host needs 4 vCPU.
- VMware ESXi host needs a minimum of 8 GB of memory.
- VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
- Gather this information before you begin the installation:
- Static IP address you want to use for your SDC.
- Passwords for the root and cdo users that you create during the installation process.
- The IP address of the DNS server your organization uses.
- The gateway IP address of the network the SDC address is on.
- The FQDN or IP address of your time server.
- The on-premises CDO Connecotr virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.
Procedure for Installing an On-premises CDO Connector
- Log on to the CDO tenant you are creating the CDO Connector for.
- Click the Account menu and select Secure Connectors.
- Click the blue plus button and click Secure Event Connector.
- In Step 1, click Download the CDO Connector VM image. Always download the CDO Connector VM to ensure that you are using the latest image.
- Extract all the files from the .zip file. They will look similar to these:
6. Log on to your VMware server as an administrator using the vSphere Web Client.
Note: Do not use the VM vSphere desktop client.
- Deploy the on-premises CDO Connector virtual machine from the OVF template by following the prompts. (You will need the .ovf, .mf, and .vmdk files to deploy the template.)
- When the setup is complete, power on the VM.
- Open the console for your new CDO Connector VM.
- Login as the cdo user. The default password is adm123.
- At the prompt type sudo sdc-onboard setup
[cdo@localhost ~]$ sudo sdc-onboard setup
- When prompted, enter the default password for the cdo user: adm123
- Follow the prompts to create a new password for the root user.
- Follow the prompts to create a new password for the cdo user.
- Follow the prompts to enter your Cisco Defense Orchestrator domain information.
- Enter the static IP address you want to use for the CDO Connector VM.
- Enter the gateway IP address for the network on which the CDO Connector VM is installed.
- Enter the NTP server address or FQDN for the CDO Connector.
- When prompted, enter the information for the Docker bridge or leave it blank if it is not applicable and press <Enter>.
- Confirm your entries.
- When prompted "Would you like to setup the SDC now?" enter n
- Create an SSH connection to the CDO Connector by logging in as the cdo user.
- At the prompt type sudo sdc-onboard bootstrap
[cdo@localhost ~]$ sudo sdc-onboard bootstrap
- When prompted, enter the cdo user's password.
- When prompted, return to CDO and copy the CDO bootstrap data, then paste it into your SSH session.
To copy the CDO bootstrap data:
- Log into CDO.
- From the user menu, select Secure Connectors.
- Select the Secure Event Connector which you started to onboard. The status should show, "Onboarding."
- In the Actions pane, click Deploy an On-Premises Secure Event Connector.
- Copy the CDO Bootstrap Data in step 1 of the dialog box.
- When prompted, Would you like to update these settings? enter n
- Return to the Deploy an On-Premises Secure Event Connector dialog in CDO and click OK. On the Secure Connectors page, you see your Secure Event Connector is in the yellow Onboarding state.
- Continue to the next procedure.
2. Install the Secure Event Connector on the CDO Connector VM
You should have installed CDO Connector VM as described in Install a CDO Connector, to Support an On-Premises SEC, Using a CDO VM Image above.
- Log in to CDO.
- Click the user menu and select Secure Connectors.
- Select the CDO Connector that you onboarded above. In the Secure Connectors table, it will be called a Secure Event Connector and it should still be in the "Onboading" status.
- Click Deploy an On-Premises Secure Event Connector in the Actions pane on the right.
- In step 2 of the wizard, click the link to Copy SEC bootstrap data.
- Create an SSH connection to the CDO Connector and log in as the cdo user.
- Once logged in, switch to the sdc user. When prompted for a password, enter the password for the "cdo" user. Here is an example of those commands:
[cdo@sdc-vm ~]$ sudo su sdc [sudo] password for cdo: <type password for cdo user> [sdc@sdc-vm ~]$
- At the prompt, run the sec.sh setup script:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/sec.sh setup
- At the end of the prompt, paste the bootstrap data you copied in step 4 and press Enter.
Please copy the bootstrap data from Setup Secure Event Connector page of CDO: KJHYFuYTFuIGhiJKlKnJHvHfgxTewrtwE RtyFUiyIOHKNkJbKhvhgyRStwterTyufGUihoJpojP9UOoiUY8VHHGFXREWRtygfhVjhkOuihIuyftyXtfcghvjbkhB=
After the SEC is onboarded, the sec.sh runs a script to check on the health of the SEC. If all the health checks are "green," the health check sends a sample event to the Event Log. The sample event shows up in the Event Log as a policy named "sec-health-check."
If you receive a message that the registration failed or that the SEC onboarding failed, go to Troubleshooting Secure Event Connector Onboarding Failures.
If you receive the success message return to CDO and click Done on the Deploy an ON-Premise Secure Event Connector dialog box.
- Continue to "Next Steps."