The Secure Event Connector (SEC) is a container that you install on an on-premise Secure Device Connector (SDC) that receives events from FTDs and forwards them to the Cisco Cloud. Cisco Defense Orchestrator (CDO) pulls events from the cloud and displays them on the Events page so that administrators can analyze them.
Before you Install the Secure Event Connector
- Make sure an on-premise SDC virtual machine has been installed and the Secure Connectors page indicates that it is in the Active state.
If you need to install an SDC, follow one of these procedures:
- Deploy an On-Premises Secure Device Connector Using Defense Orchestrator's VM Image
- Deploy an On-Premise Secure Device Connector
- System Requirements - Assign additional CPUs and memory to the virtual machine running the SDC:
- CPU: Assign an additional 4 CPUs for the SEC.
- Memory: Assign an additional 8 GB of memory for the SEC.
For example, by default, the SDC virtual machine is allocated 2 CPU and 2 GB of memory when installed. After adding the container for the SEC, the VM should now be allocated 6 CPU and 10 GB of memory.
After you have updated the CPU and memory on the VM to accommodate Secure Event Connector, power on the VM and ensure that the Secure Connectors page indicates that the SDC is in the "Active" state.
Procedure to Install the Secure Event Connector
- Log in to CDO.
- In the main navigation column, select Events.
- Click the information button and click Setup Secure Event Connector.
- From the tenant menu at the top right of the screen, select Tenant_Name > Secure Connectors.
- Click Setup Secure Event Connector.
- Copy the bootstrap data.
- If you are currently using a vSphere console session, connect to the device using SSH and log in as the “cdo” user. Once logged in, switch to ”sdc” user. When prompted for a password, enter the password for the ”cdo” user. Here is an example of those commands:
[cdo@sdc-vm ~]$ sudo su sdc [sudo] password for cdo: <type password for cdo user> [sdc@sdc-vm ~]$
- Change directories to /usr/local/cdo using the cd command. For example:ls
[sdc@sdc-vm ~]$ cd /usr/local/cdo
- Paste the bootstrap data into a new file called es_boostrapdata using the echo command:
[sdc@sdc-vm ~]$echo "paste the bootstrap data you copied in step 6 between the quotes" > es_bootstrapdata
- Onboard the Secure Event Connector to the SDC VM by running the following command:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/es_configure.sh setup
Upon successful onboarding, you will see output similar the example below. On the Secure Connectors page, you will also see that the SEC is marked "Active." When the device is Active, events are flowing to the SEC. This state change may take 10 minutes to be reflected in CDO. You can click the Request Heartbeat link if you think the Active message is taking too long to appear.
[2019-04-23 02:52:47] startup new es container Unable to find image 'ciscodefenseorchestrator/es_staging:latest'locally sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088: Pulling from ciscodefenseorchestrator/es_staging cd784148e348: Pull complete 95d801cee9a3: Pull complete 316f141d0d86: Pull complete Digest: sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088 Status: Downloaded newer image for ciscodefenseorchestrator/es_staging@sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088 Tagging ciscodefenseorchestrator/es_staging@sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088 as ciscodefenseorchestrator/es_staging:latest 0791aac1080af78f7b9b8c2c33f8582defd7b42d77203d5a366af3c8602558f8 [2019-04-23 02:53:14] started new es container with rsyslog tcp port - 10125 and udp port - 10025 for tenant - sec_example_com
Note: Look at the TCP port and UDP port in red in the output example above. Those TCP and UDP ports are the ports from which the FTD sends events to the Secure Event Connector.