Configure Splunk in Secure Firewall Management Center

Before you begin:

  • Ensure that the Splunk server can be reached by both Firewall Management Center and Firewall Threat Defense device.​

  • Configure the Cisco Secure Firewall App in Splunk. You need a valid Splunk server license and Cisco Secure Cloud account. For configuration information, see Configure Secure Firewall App in Splunk.

  • The Cisco Secure Firewall App in Splunk does not support TLS. Hence, if you choose to use the TLS protocol to send events to Splunk, configure TLS on the Splunk server. For TLS configuration instructions, see the section Configure Splunk indexing and forwarding to use TLS certificates under Manage Users and Security in the Splunk Administer guide.

  • Create required objects such as host, security zone, interface group, certificate, and so on, before starting the configuration procedure. Although you can navigate from the Splunk integration wizard to create objects, having them in advance will provide a smoother integration experience.

  • Connection events from Firewall Management Center or Firewall Threat Defense device will be sent to the configured Splunk server or SIEM syslog server only when the logging destination is appropriately selected in the Access Control policy rules page. For more information, see Creating and Edit Access Control Rules.

The Splunk integration wizard allows you to create a profile that enables you to stream events and syslog from the Firewall Management Center and its managed devices to a specific server.

You can create multiple profiles to configure any number of servers for various combinations of devices and events. For example, you can create multiple profiles to send events from Firewall Threat Defense devices to one server, while directing events from the Firewall Management Center to another. Another scenario where multiple profiles can be created is when you have to send a specific set of events to one server and all the remaining events to a different server. Each profile is independent, but they all apply additively.

To open the Splunk integration wizard, go to Integration > Splunk.

The steps for configuring Splunk integration in Secure Firewall Management Center are listed in this table.

Do This

More Information

Step 1

Configure Splunk or similar SIEM tool server.

 See Configure Splunk Server.

Step 2

Choose the event types that you want to send to the Splunk server.

See Select Event Types.

Step 3

Specify the devices and the interfaces from which you want to send syslog events to Splunk.

See Select Devices and Interfaces.

Step 4

(Optional) Specify the device certificate to be used for sending events securely to Splunk.

See Configure Firewall Certificates

Step 5

View the summary of the profile that is being created.

See Summary.