Skip to main content



Cisco Defense Orchestrator

Cisco Security Analytics and Logging

About Cisco Security Analytics and Logging

Cisco Security Analytics and Logging allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your Firepower Threat Defense (FTD) devices and view them in one place in Cisco Defense Orchestrator (CDO).

The events are stored in the Cisco Security Analytics and Logging cloud and viewable from the Events page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. 

This feature requires an on-premises Secure Device Connector (SDC).

How FTD Events are Displayed on the CDO Events Viewer

This is the path of an event from an onboarded Firepower Threat Defense device to the CDO Events viewer:

  1. You configure individual rules, such as access control rules, Security Intelligence rules, and SSL decryption rules, to forward events to the Secure Event Connector (SEC). You can also enable access control rule options, such as file protection, malware detection, or intrusion detection, and configure event forwarding to the SEC for those options. 

To forward events to the SEC, you create a syslog server object with the SEC's IP address and port number and then specify that syslog server object as the destination for all logged events. 

  1. The SEC forwards the events to the Cisco Security Analytics and Logging cloud where the events are stored.
  2. CDO pulls events from the Cisco Security Analytics and Logging cloud based on the filters you set and displays them in its Events viewer.


Cisco Security Analytics and Logging Licensing

You must purchase the Cisco Security Analytics and Logging, Logging and Troubleshooting license to use this feature.

  • Logging and Troubleshooting. The goal of this package is to provide network operations teams with real-time and historical events derived from their on-boarded Firepower Threat Defense devices for the purposes of troubleshooting and analyzing traffic in their network. 

From the CDO UI, you can obtain a 30-day Security Analytics and Logging free trial to test the functionality. At any time within 45 days of the free trial start, you can obtain a Security Analytics and Logging paid license. Contact your Managed Service Provider or for more information.

The following table describes the license.

Security Analytics and Logging Licensing Information
License Name Provided Functionality Available License Durations Functionality Prerequisites
Logging and Troubleshooting
  • View FTD events and event detail within CDO, both as a live feed and as a historical view
  • 1 year
  • 3 years
  • 5 years
  • CDO
  • an on-premises FTD deployment running version 6.4 or greater
  • deployment of an SEC to pass FTD events to the cloud, and subsequently to CDO

Data Plans

In addition to a Cisco Security Analytics and Logging Licensing license, you need to buy a data plan that reflects the amount of event storage you think you'll consume on a daily basis. The events from your on-boarded FTD devices are stored in the Cisco Security Analytics and Logging cloud. As your data needs change, you can update your data plan. You can use the Logging Volume Estimator Tool to estimate your traffic and purchase a data plan based on that level of traffic.

If you exceed your data plan, Cisco bills you after the end of the monthly billing period for the overage.

Device Licensing

If you want to log events from intrusion detection policies, file-control policies, malware detection policies, security intelligence policies, and SSL decryption policies, you need to have the licenses for those features installed on your FTD.  These are the licenses you will need in addition to the Base License:

  • Threat: Enables licensing for Intrusion detection and prevention, file control, and security intelligence filtering. 
  • Malware: Enables file policies that check for malware, which use Cisco Advanced Malware Protection (AMP) with AMP for Firepower (network-based Advanced Malware Protection) and Cisco Threat Grid. 

See the "Licensing the System" chapter in the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, version 6.4.0 or higher, for more information on FTD licensing.


To use Cisco Security Analytics and Logging you install the Secure Event Connector (SEC) container on your on-premises Secure Device Connector (SDC) and configure security rules to send events to SEC. See Install the Secure Event Connector on an On-Premise SDC Virtual Machine for more information.

Viewing and Filtering Events

After CDO retrieves the events from the Cisco Security Analytics and Logging cloud, it displays them in the Event Logging page.

To open the Even logging page, click navigate Monitoring > Event Logging on the main navigation bar.

To filter events, click the filter button filter_icon.png on the Events page and set the filter criteria as you would on other CDO pages. See Viewing and Filtering Firepower Threat Defense Events for more information about viewing events.