Skip to main content



Cisco Defense Orchestrator

Install the Secure Event Connector on an On-Premise SDC Virtual Machine

The Secure Event Connector (SEC) is a container that you install on an on-premise Secure Device Connector (SDC) that receives events from FTDs and forwards them to the Cisco Cloud. Cisco Defense Orchestrator (CDO) pulls events from the cloud and displays them on the Events page so that administrators can analyze them. 

Before you Install the Secure Event Connector

  • Make sure an on-premise SDC virtual machine has been installed and the Secure Connectors page indicates that it is in the Active state. 

If you need to install an SDC, follow one of these procedures: 

For example, by default, the SDC virtual machine is allocated 2 CPU and 2 GB of memory when installed. After adding the container for the SEC, the VM should now be allocated 6 CPU and 10 GB of memory. 

After you have updated the CPU and memory on the VM to accommodate Secure Event Connector, power on the VM and ensure that the Secure Connectors page indicates that the SDC is in the "Active" state. 

Procedure to Install the Secure Event Connector

  1. Log in to CDO.
  2. In the main navigation column, select events_icon.jpg Events
  3. Click the information button i_square_button.png and click Setup Secure Event Connector.
  4. From the tenant menu at the top right of the screen, select Tenant_Name > Secure Connectors.
  5. Click Setup Secure Event Connector.
  6. Copy the bootstrap data.
  7. If you are currently using a vSphere console session, connect to the device using SSH and log in as the “cdo” user. Once logged in, switch to ”sdc” user. When prompted for a password, enter the password for the ”cdo” user.  Here is an example of those commands: 
[cdo@sdc-vm ~]$ sudo su sdc
[sudo] password for cdo: <type password for cdo user>
[sdc@sdc-vm ~]$
  1. Change directories to /usr/local/cdo using the cd command. For example:ls
[sdc@sdc-vm ~]$ cd /usr/local/cdo
  1. Paste the bootstrap data into a new file called es_boostrapdata using the echo command:
[sdc@sdc-vm ~]$echo "paste the bootstrap data you copied in step 6 between the quotes" > es_bootstrapdata
  1. Onboard the Secure Event Connector to the SDC VM by running the following command:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/ setup

Upon successful onboarding, you will see output similar the example below. On the Secure Connectors page, you will also see that the SEC is marked "Active." When the device is Active, events are flowing to the SEC. This state change may take 10 minutes to be reflected in CDO. You can click the Request Heartbeat link if you think the Active message is taking too long to appear.

[2019-04-23 02:52:47] startup new es container
Unable to find image 'ciscodefenseorchestrator/es_staging:latest'locally
sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088: Pulling from ciscodefenseorchestrator/es_staging
cd784148e348: Pull complete
95d801cee9a3: Pull complete
316f141d0d86: Pull complete
Digest: sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088
Status: Downloaded newer image for ciscodefenseorchestrator/es_staging@sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088
Tagging ciscodefenseorchestrator/es_staging@sha256:988e8d277ce35b75a25cda9aad116c58262cddf63b6491599c351d1f1cd4a088 as ciscodefenseorchestrator/es_staging:latest
[2019-04-23 02:53:14] started new es container with rsyslog tcp port - 10125 and udp port - 10025 for tenant - sec_example_com

Note: Look at the TCP port and UDP port in red in the output example above. Those TCP and UDP ports are the ports from which the FTD sends events to the Secure Event Connector.

  • Was this article helpful?