Splunk Integration: Send Events Directly from Management Center
Cisco Splunk is a Security Information and Event Management (SIEM) tool that provides visibility and monitoring of security events across Cisco Secure Firewall devices.
In Cloud-Delivered Firewall Management Center versions earlier to 10.0, security events were sent to Splunk using eStreamer. From Cloud-Delivered Firewall Management Center version 10.0, you can send events directly to the Splunk server using the Cloud-Delivered Firewall Management Center web interface. The wizard-driven interface helps you set up Splunk integration effortlessly.
This integration allows you to perform these actions.
-
Customize event flow by specifying event types—such as connection, intrusion, malware, file, user activity, correlation, discovery, intrusion packet—and their sources (Cloud-Delivered Firewall Management Center or Firewall Threat Defense device) according to your monitoring requirements.
-
Select the source interface for sending syslog events. You can choose to send events from the Cloud-Delivered Firewall Management Center's management interface or Firewall Threat Defense device's management or data interfaces.
-
Create profiles with various configurations to suit different monitoring requirements.
Note | While the integration procedure described in this topic is for Splunk, you can use the Splunk Integration wizard to integrate any SIEM tool with Cloud-Delivered Firewall Management Center to send syslog messages to an external syslog server. |