Configure Secure Firewall App in Splunk
To ensure that the Splunk server is reachable by Cloud-Delivered Firewall Management Center and Firewall Threat Defense, and to receive the events from the device, configure the Cisco Secure Firewall App in Splunk.
Before you begin
-
Ensure that you have obtained a Splunk server license and a Cisco Security Cloud account.
Procedure
Step 1 | Download and install the Splunk server using the instructions provided in Splunk Enterprise Installation Manual. | ||
Step 2 | To install Splunk license, log in to your Splunk server's web interface. | ||
Step 3 | Go to . Use the license received by email.
| ||
Step 4 | Download Cisco Security Cloud from Splunkbase Apps. | ||
Step 5 | To install Cisco Security Cloud, log in to your Splunk server's web interface. | ||
Step 6 | Go to . | ||
Step 7 | Click Browse and select the downloaded application file and upload. | ||
Step 8 | To configure the server to receive the syslog events from the Cloud-Delivered Firewall Management Center and Firewall Threat Defense, go to , and then click the Syslog tab. | ||
Step 9 | In the Input Name field, enter any name. | ||
Step 10 | In the Input Type field, enter UDP or TCP. TLS is not supported in the Cisco Security Cloud application. Use rsyslog or syslog-ng to establish TLS on Splunk server. For detailed procedures, see Configure TLS on Splunk Server. | ||
Step 11 | In the Port field, enter a value between 1025 and 65535. The default port is 514. | ||
Step 12 | Leave the Host field blank. This will allow the Splunk to process events from any Cloud-Delivered Firewall Management Center and Firewall Threat Defense. | ||
Step 13 | In the Source Type field, enter cisco:ftd:syslog. | ||
Step 14 | In the Interval field, enter 600 seconds. |