The Secure Event Connector (SEC) receives events from ASA and FTD devices and forwards them to the Cisco cloud. CDO displays the events on the Event Logging page so that administrators can analyze them there or by using Cisco Stealthwatch Cloud.
SECs can be installed on a tenant with a cloud or on-premises SDC. If you have an on-premises Secure Device Connector, your first SEC is installed on the same VM as that SDC. If you have a cloud SDC, your first SEC is installed on an on-premises VM that you maintain in your own private cloud. In either the cloud SDC case or the on-premises SDC case, your second, third, or subsequent SEC is installed on a VM that you maintain in your own private cloud.
This article describes installing your first SEC on the same VM as your on-premises SDC. It is possible to install more than one SEC for your tenant after you install the first SEC. If your goal is to install a second, third, or other additional SEC, see Installing Multiple SECs, Using CDO Images, on Tenants with On-Premises SDCs.
Before You Install the Secure Event Connector
- Purchase the Cisco Security and Analytics Logging, Logging and Troubleshooting license. Or, If you want to try Cisco Security and Analytics Logging out first, log in to CDO, and on the main navigation bar, select Monitoring > Event Logging and click Request Trial. You may also purchase the Logging Analytics and Detection and Total Network Analytics and Monitoring licenses to apply SWC analytics to the events.
- Make sure your SDC has been installed. These instructions are specific to an on-premises SDC. If you need to install an on-premises SDC, follow one of these procedures:
- Deploy an On-Premises Secure Device Connector Using CDO's VM Image
- Deploy an On-Premises Secure Device Connector from your own VM Image
Note: If you installed the on-premises SDC on your own VM, there is additional configuration required to allow events to reach it.
- Make sure the on-premise SDC is communicating with CDO:
- From any open page in CDO, open the Secure Connectors page by clicking on the menu, under your user name, in the top right corner of the page.
- Make sure that the SDC's last heartbeat was less than 10 minutes prior to the installation of the SEC and that the SDC's status is Active.
- System Requirements - Assign additional CPUs and memory to the virtual machine running the SDC:
- CPU: Assign an additional 4 CPUs to accommodate the SEC to make a total of 6 CPU.
- Memory: Assign an additional 8 GB of memory for the SEC to make a total of 10 GB of memory.
After you have updated the CPU and memory on the VM to accommodate the SEC, power on the VM and ensure that the Secure Connectors page indicates that the SDC is in the "Active" state.
Procedure to Install the Secure Event Connector
Review "Before You Install the Secure Event Connector" above before you begin this procedure.
- Log in to CDO.
- Click the user menu and select Secure Connectors.
- Click the blue plus button and click Secure Event Connector.
- In step 2 of the wizard, click the link to Copy bootstrap data.
- Open a terminal window and log into the SDC as the "cdo" user.
- Once logged in, switch to the "sdc" user. When prompted for a password, enter the password for the "cdo" user. Here is an example of those commands:
[cdo@sdc-vm ~]$ sudo su sdc [sudo] password for cdo: <type password for cdo user> [sdc@sdc-vm ~]$
- At the prompt, run the sec.sh setup script:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/sec.sh setup
- At the end of the prompt, paste the bootstrap data you copied in step 4 and press Enter.
Please copy the bootstrap data from Setup Secure Event Connector page of CDO: KJHYFuYTFuIGhiJKlKnJHvHfgxTewrtwE RtyFUiyIOHKNkJbKhvhgyRStwterTyufGUihoJpojP9UOoiUY8VHHGFXREWRtygfhVjhkOuihIuyftyXtfcghvjbkhB=
After the SEC is onboarded, the sec.sh runs a script to check on the health of the SEC. If all the health checks are "green," the health check sends a sample event to the Event Log. The sample event shows up in the Event Log as a policy named "sec-health-check."
If you receive a message that the registration failed or that the SEC onboarding failed, go to Troubleshooting Secure Event Connector Onboarding Failures.
9. Determine if the VM on which the SDC and SEC are running needs additional configuration:
- If you installed your SDC on your own virtual machine, continue with Additional Configuration for SDCs and CDO Connectors Installed on Your VM Image.
- If you installed your SDC using a CDO image, you do need additional configuration. Continue to "Next Steps."
- Configure a syslog server for CDO Secure Event Connector
- Configure rules to send events to the syslog server.
- Request a Stealthwatch Cloud Portal if you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license.
- View and filter events in the Events screen.