Skip to main content

 

 

Cisco Defense Orchestrator

Install the Secure Event Connector on an On-Premises SDC Virtual Machine

The Secure Event Connector (SEC) is a container that you install on an on-premises Secure Device Connector (SDC) that receives events from ASA and FTD devices and forwards them to the Cisco cloud. Cisco Defense Orchestrator (CDO) displays the events on the Event Logging page so that administrators can analyze them. 

Before You Install the Secure Event Connector

  • Purchase the Cisco Security and Analytics Logging, "Logging and Troubleshooting" license. Or, If you want to try it out first, log in to CDO, and on the main navigation bar, select Monitoring > Event Logging and click Request Trial. You may also purchase the Logging Analytics and Detection and Total Network Analytics and Monitoring licenses to apply SWC analytics to the events. 
  • Make sure an on-premises SDC virtual machine has been installed.

If you need to install an SDC, follow one of these procedures: 

Note: If you installed your on-premises Secure Device Connector on your own VM, there is additional configuration required to allow events to reach it. 

  • Make sure the on-premise SDC is communicating with CDO:
  1. From any open page in CDO, open the Secure Connectors page by clicking on the menu, under your user name, in the top right corner fo the page.
  2. Make sure that the SDC's last heartbeat was less than 10 minutes prior to the installation of the SEC and that the SDC's status is Active. 
  •  System Requirements - Assign additional CPUs and memory to the virtual machine running the SDC:
    • CPU: Assign an additional 4 CPUs to accommodate the SEC to make a total of 6 CPU.
    • Memory: Assign an additional 8 GB of memory for the SEC to make a total of 10 GB of memory.  

After you have updated the CPU and memory on the VM to accommodate the SEC, power on the VM and ensure that the Secure Connectors page indicates that the SDC is in the "Active" state. 

Procedure to Install the Secure Event Connector

  1. Log in to CDO.
  2. Click the user menu and select Secure Connectors.   
  3. Click the blue plus button and click Secure Connector. .
  4. In step 2 of the wizard, click the link to Copy bootstrap data.
  5. Open a terminal window and log into the SDC as the "cdo" user.
  6. Once logged in, switch to the "sdc" user. When prompted for a password, enter the password for the "cdo" user.  Here is an example of those commands: 
[cdo@sdc-vm ~]$ sudo su sdc
[sudo] password for cdo: <type password for cdo user>
[sdc@sdc-vm ~]$
  1. At the prompt, run the sec.sh setup script:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/sec.sh setup
  1. At the end of the prompt, paste the bootstrap data you copied in step 4 and press Enter.
Please copy the bootstrap data from Setup Secure Event Connector page of CDO: KJHYFuYTFuIGhiJKlKnJHvHfgxTewrtwE
RtyFUiyIOHKNkJbKhvhgyRStwterTyufGUihoJpojP9UOoiUY8VHHGFXREWRtygfhVjhkOuihIuyftyXtfcghvjbkhB=

After the SEC is onboarded, the sec.sh runs a script to check on the health of the SEC. If all the health checks are "green," the health check sends a sample event to the Event Log. The sample event shows up in the Event Log as a policy named "sec-health-check."

sec_health_checker_blurred.jpg

If you receive a message that the registration failed or that the SEC onboarding failed, go to Troubleshooting Secure Event Connector Onboarding Failures.

9. Determine if the VM on which the SDC and SEC are running needs additional configuration: 

Additional Configuration for SDCs Installed on Your Own Virtual Machine

If you installed your SDC on your own CentOS 7 virtual machine, you need to perform one of the following additional configuration procedures to allow events to reach the SEC.  

  •  Disable the firewalld service on the CentOS 7 VM. This matches the configuration of the Cisco-provided SDC VM. 
  •  Add firewall rules to allow into the VM the expected eventing traffic for the SEC. This is a more granular approach to allowing inbound event traffic.

Disable the firewalld service on the CentOS 7 VM

  1. Log into the CLI of the SDC VM as the "cdo" user.
  2. Stop the firewalld service, and then ensure that it will remain disabled upon subsequent reboots of the VM. If you are prompted, enter the password for the "cdo" user:
[cdo@SDC-VM ~]$ sudo systemctl stop firewalld
[cdo@SDC-VM ~]$ sudo systemctl disable firewalld

3. Restart the Docker service to re-insert Docker-specific entries into the local firewall:

[cdo@SDC-VM ~]$ sudo systemctl restart docker
  1. Continue to Next Steps.

Allow the firewalld service to run and add firewall rules to allow into the VM eventing traffic for the SEC

  1. Log into the CLI of the SDC VM as the "cdo" user.
  2. Add local firewall rules to allow incoming traffic to the SEC from TCP port 10125 and UDP port 10025 for syslog events, and UDP port 10425 for NSEL events. If prompted, enter the password for the "cdo" user:
[cdo@SDC-VM ~]$ sudo firewall-cmd --zone=public --permanent --add-port=10125/tcp
[cdo@SDC-VM ~]$ sudo firewall-cmd --zone=public --permanent --add-port=10025/udp
[cdo@SDC-VM ~]$ sudo firewall-cmd --zone=public --permanent --add-port=10425/udp
  1. Restart the firewalld service to make the new local firewall rules both active and persistent:
[cdo@SDC-VM ~]$ sudo systemctl restart firewalld
  1. Continue to Next Steps.
  • Was this article helpful?