The Secure Event Connector (SEC) forwards events from ASAs and FTDs to the Cisco cloud so that you can view them in the Event Logging page and investigate them with Stealthwatch Cloud.
This article describes installing an SEC on a CDO Connector VM when your Secure Device Connector (SDC) is installed in the cloud. Though your SDC is installed in the Cisco cloud, the CDO Connector VM and SEC you create by following this procedure are installed on an on-premises virtual machine that is maintained in your private cloud.
Installing an SEC is a two-part process. Both parts of the process are described in this article:
- Install an on-premises CDO Connector VM using a CDO VM image. Only one SEC can be installed on one CDO Connector VM.
Note: If you want to create a CDO Connector VM by creating your own VM, see Installing Secure Event Connectors Using Your VM Image on Tenants with Cloud SDCs.
- Install the SEC on the CDO Connector VM.
1. Install a CDO Connector VM, to Support an On-Premises SEC, Using CDO's Connector VM Image
The CDO Connector VM is an on-premises VM on which you install an SEC.
- Purchase the Cisco Security and Analytics Logging, Logging and Troubleshooting license, you may also purchase the Logging Analytics and Detection and Total Network Analytics and Monitoring licenses to apply Stealthwatch Cloud analytics to the events.
If you would rather, you can request a trial version of Security Analytics and Logging by logging in to CDO, and on the main navigation bar, select Monitoring > Event Logging and click Request Trial.
- You have a fully functioning cloud Secure Device Connector (SDC) installed on your tenant. Its state is Active and it has reported a heartbeat within the last 10 minutes.
- CDO requires strict certificate checking and does not support Web/Content Proxy inspection between the CDO Connector and the Internet. If using a proxy server, disable inspection for traffic between the CDO Connector and CDO.
- The CDO Connector VM installed in this process must have full outbound access to the Internet on TCP port 443.
- Review Connect to Cisco Defense Orchestrator using Secure Device Connector to ensure proper network access for the CDO Connector VM.
- CDO supports installing its SDC VM OVF image using the vSphere web client or the ESXi web client.
- CDO does not support installing the SDC VM OVF image using the VMware vSphere desktop client.
- ESXi 5.1 hypervisor.
- System requirements for a VM intended to host only a CDO Connector and an SEC:
- VMware ESXi host needs 4 vCPU.
- VMware ESXi host needs a minimum of 8 GB of memory.
- VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
- Gather this information before you begin the installation:
- Static IP address you want to use for your CDO Connector VM.
- Passwords for the root and cdo users that you create during the installation process.
- The IP address of the DNS server your organization uses.
- The gateway IP address of the network the CDO Connector's address is on.
- The FQDN or IP address of your time server.
- The CDO Connector VM is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.
- Log on to the CDO tenant you are creating the CDO Connector for.
- Click the Account menu and select Secure Connectors.
- Click the blue plus button and click Secure Event Connector.
- In Step 1, click Download the CDO Connector VM image. This is a special image that you install the SEC on. Always download the CDO Connector VM to ensure that you are using the latest image.
- Extract all the files from the .zip file. They will look similar to these:
6. Log on to your VMware server as an administrator using the vSphere Web Client.
Note: Do not use the VM vSphere desktop client.
- Deploy the on-premises CDO Connector virtual machine from the OVF template by following the prompts. (The OVF template will look similar to this: CDO-SDC-VM-ddd50fa.ovf.)
- When the setup is complete, power on the VM.
- Open the console for your new CDO Connector VM.
- Login as the cdo user. The default password is adm123.
- At the prompt type sudo sdc-onboard setup
[cdo@localhost ~]$ sudo sdc-onboard setup
- When prompted, enter the default password for the cdo user: adm123
- Follow the prompts to create a new password for the root user.
- Follow the prompts to create a new password for the cdo user.
- Follow the prompts to enter your Cisco Defense Orchestrator domain information.
- Enter the static IP address you want to use for the CDO Connector VM.
- Enter the gateway IP address for the network on which the CDO Connector VM is installed.
- Enter the NTP server address or FQDN for the CDO Connector.
- When prompted, enter the information for the Docker bridge or leave it blank if it is not applicable and press <Enter>.
- Confirm your entries.
- When prompted "Would you like to setup the SDC now?" enter n
- Create an SSH connection to the CDO Connector by logging in as the cdo user.
- At the prompt type sudo sdc-onboard bootstrap
[cdo@localhost ~]$ sudo sdc-onboard bootstrap
- When prompted, enter the cdo password you created in step 14.
- When prompted, return to CDO and copy the CDO bootstrap data, then paste it into your SSH session.
To copy the CDO bootstrap data:
- Log into CDO.
- From the user menu, select Secure Connectors.
- Select the Secure Event Connector which you started to onboard. The status should show, "Onboarding."
- In the Actions pane, click Deploy an On-Premises Secure Event Connector.
- Copy the CDO Bootstrap Data in step 1 of the dialog box.
- When prompted, Would you like to update these settings? enter n
- Return to the Deploy an On-Premises Secure Event Connector dialog in CDO and click Done. On the Secure Connectors page, you see your Secure Event Connector is in the yellow Onboarding state.
- Continue to the next procedure.
2. Install the Secure Event Connector on the CDO Connector VM
- You should have installed CDO Connector VM as described in Install a CDO Connector VM, to Support an On-Premises SEC, Using CDO's Connector VM Image above.
- Make sure the SDC is communicating with CDO:
- From any open page in CDO, open the Secure Connectors page by clicking on the menu, under your user name, in the top right corner of the page.
- Make sure that the SDC's last heartbeat was less than 10 minutes prior to the installation of the SEC and that the SDC's status is Active.
- Log in to CDO.
- Click the user menu and select Secure Connectors.
- Select the CDO Connector that you onboarded above. In the Secure Connectors table, it will be called a Secure Event Connector and it should still be in the "Onboading" status.
- Click Deploy an On-Premises Secure Event Connector in the Actions pane on the right.
- In step 2 of the wizard, click the link to Copy SEC bootstrap data.
- Open a terminal window and log into the Secure Connector as the "cdo" user.
- Once logged in, switch to the "sdc" user. When prompted for a password, enter the password for the "cdo" user. Here is an example of those commands:
[cdo@sdc-vm ~]$ sudo su sdc [sudo] password for cdo: <type password for cdo user> [sdc@sdc-vm ~]$
- At the prompt, run the sec.sh setup script:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/sec.sh setup
- At the end of the prompt, paste the bootstrap data you copied in step 4 and press Enter.
Please copy the bootstrap data from Setup Secure Event Connector page of CDO: KJHYFuYTFuIGhiJKlKnJHvHfgxTewrtwE RtyFUiyIOHKNkJbKhvhgyRStwterTyufGUihoJpojP9UOoiUY8VHHGFXREWRtygfhVjhkOuihIuyftyXtfcghvjbkhB=
After the SEC is onboarded, the sec.sh runs a script to check on the health of the SEC. If all the health checks are "green," the health check sends a sample event to the Event Log. The sample event shows up in the Event Log as a policy named "sec-health-check."
If you receive a message that the registration failed or that the SEC onboarding failed, go to Troubleshooting Secure Event Connector Onboarding Failures.
If you receive the success message return to CDO and click Done on the Deploy an ON-Premise Secure Event Connector dialog box.
- Continue to "Next Steps."
- Configure a syslog server for CDO Secure Event Connector
- Configure rules to send events to the syslog server.
- Request a Stealthwatch Cloud Portal if you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license.
- View and filter events in the Events screen.