Configure Secure Firewall App in Splunk
To ensure that the Splunk server is reachable by Firewall Management Center and Firewall Threat Defense, and to receive the events from the device, configure the Cisco Secure Firewall App in Splunk.
Before you begin
-
Ensure that you have obtained a Splunk server license and a Cisco Security Cloud account.
Procedure
Step 1 | Download and install the Splunk server using the instructions provided in Splunk Enterprise Installation Manual. | ||
Step 2 | To install Splunk license, log in to your Splunk server's web interface. | ||
Step 3 | Go to . Use the license received by email.
| ||
Step 4 | Download Cisco Security Cloud from Splunkbase Apps. | ||
Step 5 | To install Cisco Security Cloud, log in to your Splunk server's web interface. | ||
Step 6 | Go to . | ||
Step 7 | Click Browse and select the downloaded application file and upload. | ||
Step 8 | To configure the server to receive the syslog events from the Firewall Management Center and Firewall Threat Defense, go to , and then click the Syslog tab. | ||
Step 9 | In the Input Name field, enter any name. | ||
Step 10 | In the Input Type field, enter UDP or TCP. TLS is not supported in the Cisco Security Cloud application. Use rsyslog or syslog-ng to establish TLS on Splunk server. For detailed procedures, see Configure TLS on Splunk Server. | ||
Step 11 | In the Port field, enter a value between 1025 and 65535. The default port is 514. | ||
Step 12 | Leave the Host field blank. This will allow the Splunk to process events from any Firewall Management Center and Firewall Threat Defense. | ||
Step 13 | In the Source Type field, enter cisco:ftd:syslog. | ||
Step 14 | In the Interval field, enter 600 seconds. |