The Secure Event Connector (SEC) forwards events from ASA and FTD to the Cisco cloud so that you can view them in the Event Logging page and investigate them with Stealthwatch Cloud, depending on your licensing.
You can install more than one Secure Event Connector (SEC) on your tenant and direct events from your ASAs and FTDs to any of the SECs you install. Having multiple SECs allows you to have SECs installed in different locations and distribute the work of sending events to the Cisco cloud.
Installing an SEC is a two part process. Both parts of the process are described in this article:
- Install an on-premises CDO Connector to support an on-premises SEC using a CDO image. The CDO connector is a light-weight SDC on which you install an additional SEC. You need one CDO connector for every additional SEC you install. The CDO Connector is different than the existing SDC installed on your tenant.
- Install an Additional Secure Event Connector.
Note: If you want to create a CDO Connector by creating your own VM, see Install Multiple SECs for Your Tenant Using a VM Image you Create.
Important: This article assumes that you already have a fully functioning SDC, you have already installed one SEC on it, and that you are installing your second, third, or subsequent SEC.
1. Install a CDO Connector, to Support an On-Premises SEC, Using a CDO VM Image
Prerequisites for Installing an On-premises CDO Connector
- Purchase the Cisco Security and Analytics Logging, Logging and Troubleshooting license, you may also purchase the Logging Analytics and Detection and Total Network Analytics and Monitoring licenses to apply Stealthwatch Cloud analytics to the events.
If you would rather, you can request a trial version of Security Analytics and Logging by logging in to CDO, and on the main navigation bar, select Monitoring > Event Logging and click Request Trial.
- You have a fully functioning on-premises Secure Device Connector (SDC) installed on your tenant and you already have one Secure Event Connector (SEC) installed on your tenant.
- CDO requires strict certificate checking and does not support Web/Content Proxy inspection between the CDO Connector and the Internet. If using a proxy server, disable inspection for traffic between the CDO Connector and CDO.
- The CDO Connector installed in this process must have full outbound access to the Internet on TCP port 443.
- Review Connect to Cisco Defense Orchestrator using Secure Device Connector to ensure proper network access for the CDO Connector.
- CDO supports installing its SDC VM OVF image using the vSphere web client or the ESXi web client.
- CDO does not support installing the SDC VM OVF image using the VM vSphere desktop client.
- ESXi 5.1 hypervisor.
- System requirements for a VM intended to host only a CDO Connector and an SEC:
- VMware ESXi host needs 4 vCPU.
- VMware ESXi host needs a minimum of 8 GB of memory.
- VMware ESXi requires 64GB disk space to support the virtual machine depending on your provisioning choice.
- Gather this information before you begin the installation:
- Static IP address you want to use for your SDC.
- Passwords for the root and cdo users that you create during the installation process.
- The IP address of the DNS server your organization uses.
- The gateway IP address of the network the SDC address is on.
- The FQDN or IP address of your time server.
- The on-premises SDC virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.
Procedure for Installing an On-premises CDO Connector
- Log on to the CDO tenant you are creating the CDO Connector for.
- Click the Account menu and select Secure Connectors.
- Click the blue plus button and click Secure Event Connector.
- In Step 1, click Download the CDO Connector VM image. This is a special image that you install the SEC on. Always download the CDO Connector VM to ensure that you are using the latest image.
- Extract all the files from the .zip file. They will look similar to these:
6. Log on to your VMware server as an administrator using the vSphere Web Client.
Note: Do not use the VM vSphere desktop client.
- Deploy the on-premises CDO Connector virtual machine from the OVF template by following the prompts. (The OVF template will look similar to this: CDO-SDC-VM-ddd50fa.ovf.)
- When the setup is complete, power on the VM.
- Open the console for your new CDO Connector VM.
- Login as the cdo user. The default password is adm123.
- At the prompt type sudo sdc-onboard setup
[cdo@localhost ~]$ sudo sdc-onboard setup
- When prompted, enter the default password for the cdo user: adm123
- Follow the prompts to create a new password for the root user.
- Follow the prompts to create a new password for the cdo user.
- Follow the prompts to enter your Cisco Defense Orchestrator domain information.
- Enter the static IP address you want to use for the CDO Connector VM.
- Enter the gateway IP address for the network on which the CDO Connector VM is installed.
- Enter the NTP server address or FQDN for the CDO Connector.
- When prompted, enter the information for the Docker bridge or leave it blank if it is not applicable and press <Enter>.
- Confirm your entries.
- When prompted "Would you like to setup the SDC now?" enter n
- Create an SSH connection to the CDO Connector by logging in as the cdo user.
- At the prompt type sudo sdc-onboard bootstrap
[cdo@localhost ~]$ sudo sdc-onboard bootstrap
- When prompted, enter the cdo password you created in step 14.
- When prompted, return to CDO and copy the CDO bootstrap data, then paste it into your SSH session.
To copy the CDO bootstrap data:
- Log into CDO.
- From the user menu, select Secure Connectors.
- Select the Secure Event Connector which you started to onboard. The status should show, "Onboarding."
- In the Actions pane, click Deploy an On-Premises Secure Event Connector.
- Copy the CDO Bootstrap Data in step 1 of the dialog box.
- When prompted, Would you like to update these settings? enter n
- Return to the Deploy an On-Premises Secure Event Connector dialog in CDO and click Done. On the Secure Connectors page, you see your Secure Event Connector is in the yellow Onboarding state.
- Continue to the next procedure.
2. Install an Additional Secure Event Connector
Prerequisites for Installing an Additional Secure Event Connector
- You should have installed CDO Connector VM as described in Install a CDO Connector, to Support an On-Premises SEC, Using a CDO VM Image above.
- Make sure the on-premises SDC is communicating with CDO:
- From any open page in CDO, open the Secure Connectors page by clicking on the menu, under your user name, in the top right corner of the page.
- Make sure that the SDC's last heartbeat was less than 10 minutes prior to the installation of the SEC and that the SDC's status is Active.
Procedure for Installing an Additional Secure Event Connector
- Log in to CDO.
- Click the user menu and select Secure Connectors.
- Select the CDO Connector that you onboarded above. In the Secure Connectors table, it will be called a Secure Event Connector and it should still be in the "Onboading" status.
- Click Deploy an On-Premises Secure Event Connector in the Actions pane on the right.
- In step 2 of the wizard, click the link to Copy SEC bootstrap data.
- Open a terminal window and log into the Secure Connector as the "cdo" user.
- Once logged in, switch to the "sdc" user. When prompted for a password, enter the password for the "cdo" user. Here is an example of those commands:
[cdo@sdc-vm ~]$ sudo su sdc [sudo] password for cdo: <type password for cdo user> [sdc@sdc-vm ~]$
- At the prompt, run the sec.sh setup script:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/sec.sh setup
- At the end of the prompt, paste the bootstrap data you copied in step 4 and press Enter.
Please copy the bootstrap data from Setup Secure Event Connector page of CDO: KJHYFuYTFuIGhiJKlKnJHvHfgxTewrtwE RtyFUiyIOHKNkJbKhvhgyRStwterTyufGUihoJpojP9UOoiUY8VHHGFXREWRtygfhVjhkOuihIuyftyXtfcghvjbkhB=
After the SEC is onboarded, the sec.sh runs a script to check on the health of the SEC. If all the health checks are "green," the health check sends a sample event to the Event Log. The sample event shows up in the Event Log as a policy named "sec-health-check."
If you receive a message that the registration failed or that the SEC onboarding failed, go to Troubleshooting Secure Event Connector Onboarding Failures.
If you receive the success message return to CDO and click Done on the Deploy an ON-Premise Secure Event Connector dialog box.
- Continue to "Next Steps."
- Configure a syslog server for CDO Secure Event Connector
- Configure rules to send events to the syslog server.
- Request a Stealthwatch Cloud Portal if you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license.
- View and filter events in the Events screen.