Cisco Security Analytics and Logging

About Security Analytics and Logging (SaaS) in Security Cloud Control

Terminology Note: In this documentation, when Cisco Security Analytics and Logging (a software as a service product) is used with Security Cloud Control for security event monitoring and analysis, you will see this integration referred to as Cisco Security Analytics and Logging (SaaS) or SAL (SaaS).

Cisco Security Analytics and Logging (SAL) allows you to capture supported types of security events from all of your firewall devices and view them in one place in Security Cloud Control. The events are stored in the Security Analytics and Logging cloud and viewable from the Event Logging page. The Event Logging page allows you to search, filter and analyze the security event data to understand which security rules are being triggered in your network.

Event types in Security Cloud Control

When filtering the security events logged in Secure Logging Analytics (SaaS), you can choose from a list of Catalyst SD-WAN event types that Security Cloud Control supports. From the Security Cloud Control menu, navigate Analytics > Event Logging and click the filter icon to choose events.

Catalyst SD-WAN devices currently log only connection events under SD-WAN event types. SD-WAN Catalyst devices do not support sending syslog events to Security Cloud Control. To learn more about syslog IDs for Catalyst SD-WAN events, see Cisco Catalyst SD-WAN Monitor and Maintain Configuration Guide.

You can generate events for connections as users generate traffic that passes through the system. Enable connection logging on access rules to generate these events. You can also enable logging on Security Intelligence policies and SSL decryption rules to generate connection events.

Connection events contain data about the detected sessions. The information available for any individual connection event depends on several factors. In general, this information includes:

  • Basic connection properties: timestamp, source and destination IP address, ingress and egress zones, the device that handled the connection, and so on.

  • Additional connection properties the system discovers or infers: applications, requested URLs, users associated with the connection, and so on.

  • Metadata explaining why the connection was logged: which configuration handled the traffic, whether the connection was allowed or blocked, and details about encrypted and decrypted connections.

Deprovisioning Cisco Security Analytics and Logging (SaaS)

If you allow your Cisco Security Analytics and Logging (SaaS) paid subscription to lapse, collection of new events stops immediately. After 90 days from expiry, you will no longer be able to view or query your existing event data. You have 180 days to renew your subscription.

If you allow the 180-day grace period to lapse, the system purges all of your event data. You can no longer view security events on the Event Logging page, nor have dynamic entity modeling (DEM) behavioral analytics applied to your security events and network flow data.

Security Analytics and Logging licenses

Security Analytics and Logging subscription overview

You can combine SAL with your Security Cloud Control subscription. When managing your firewalls with Security Cloud Control, you can obtain Security Analytics and Logging entitlement in these ways:

  • Device management with unlimited logging: This option provides a per-device license. It includes device management capabilities for your firewall device and unlimited log storage for a rolling period of 90 days.

  • Device management only with optional cloud logging: This option involves purchasing a per-device license for management only. You can then add Security Analytics and Logging as a separate cloud logging subscription. This allows you to customize logging data storage and log retention based on your specific operational and compliance needs.

90-day free trial

To accurately estimate your daily ingest rate, log in to Security Cloud Control and navigate to the Events & Logs > Events > Event Logging tab to request a 90-day trial. You can purchase the desired subscription plan to continue the service by reviewing the instructions in the Security Cloud Control Firewall Management Ordering Guide.

Security Analytics and Logging paid subscription tiers

If you choose not to use device management with unlimited logging option, you can purchase logging capacity separately. This standalone Security Analytics and Logging subscription provides greater flexibility, longer default retention, and increased storage entitlements. The default minimum retention period for these subscription tiers is 1 year.

Select these flexible Security Analytics and Logging subscription tiers if:

  • You have already purchased your firewall devices as part of a different order.

  • You have specific logging estimates and want to buy a tier based on a fixed amount of ingest, storage, and logging retention.

  • You want a log retention period that is more than 90 days.

Security Analytics and Logging subscription is categorized into three tiers—Essentials, Advantage, and Premier. This table lists the storage capacities and log retention periods for each tier.

Description Retention Period Storage Limit Subscription Term

Cisco SAL Essentials Subscriptions

1, 2, or 3 years

2 TB

0 to 5 years

Cisco SAL Advantage Subscriptions

1, 2, or 3 years

4 TB

0 to 5 years
Cisco SAL Premier Subscriptions

1, 2, or 3 years

10 TB

0 to 5 years

For more information about the subscription plans, refer to the Security Cloud Control Firewall Management Ordering Guide.


Note

For paid subscriptions, Security Analytics and Logging automatically manages your event data to ensure that it aligns with your licensed retention period. Security Analytics and Logging removes event data that is older than your specified retention period on a daily basis, and ensures that you always retain access to all event data within your full retention period.

Estimate your daily ingest rate

Purchase a subscription plan that matches the number of events the Cisco cloud receives from your onboarded firewall devices on a daily basis. This is called your daily ingest rate. You can use the Logging Volume Estimator tool to estimate your daily ingest rate and as that rate changes you can update your subscription plan.

Subscribe to a Security Analytics and Logging license

Start a Security Analytics and Logging trial subscription

Purchase a data storage plan that matches the daily event volume your onboarded security devices send to Cisco cloud. This volume is referred to as your daily ingest rate. Before making a purchase, participate in a free trial of Security Analytics and Logging to accurately estimate your daily ingest rate.

  • With this trial plan, you gain access to all Security Analytics and Logging features for 90 days.

  • During the 90-day trial period, your onboarded firewalls send events to Security Analytics and Logging. Monitor your event ingestion rates, understand your storage requirements, and evaluate performance. This data helps you to plan and select the most appropriate paid subscription.

  • If you activate a paid Security Analytics and Logging subscription while a trial is active, Security Cloud Control replaces the trial license for the product instance with the paid license and ends the trial.

  • If you choose not to apply the paid subscription to the trial, event ingestion automatically stops after 90 days. After this, you cannot access Security Analytics and Logging features. However, your existing log data remains in the Security Analytics and Logging cloud for an additional 90 days from the trial expiry date.


    Note

    If you do not subscribe to a paid Security Analytics and Logging license within this 90-day grace period, all your trial data is permanently deleted.

Order a paid Security Analytics and Logging subscription

To continue using Security Analytics and Logging after your trial, or to upgrade your existing logging capabilities:

  1. Use the insights that you gained from your trial (daily ingest rate, required retention, storage volume) to determine the most suitable Security Analytics and Logging subscription plan.

  2. Work with your Cisco representative or authorized partner to purchase the appropriate Security Analytics and Logging subscription.

Claim your Security Analytics and Logging subscription

After you purchase a new Security Analytics and Logging subscription, you receive a claim code to activate it within Security Cloud Control. A welcome email containing your subscription claim code is automatically sent to the Provisioning Contact you specified during the purchasing process. If you included an End Customer contact, they also receive a copy. You will receive this email on the requested start date of your subscription.

A Security Cloud Control administrator uses the claim code to activate the subscription for their organization. For detailed instructions on claiming and activating subscriptions, refer to Claim a Subscription.

Renew your Security Analytics and Logging subscription

Maintaining an active Security Analytics and Logging subscription ensures continuous logging and access to your historical data.

  • If your Security Analytics and Logging subscription expires without renewal, event ingestion from your firewalls stops immediately.

  • You can continue to view and search existing event data for 90 days after the subscription expires. After 90 days, event data is no longer accessible.

  • Your existing data remains in the Security Analytics and Logging cloud for a 180-day grace period from the subscription expiry date.

  • If the Security Analytics and Logging subscription is not renewed within this 180-day grace period, all your event data is permanently deleted from the Security Analytics and Logging cloud.

View Security Analytics and Logging license information

View your Security Analytics and Logging license information such as the entitled monthly storage limit and the event storage retention period. If you do not have a separate Security Analytics and Logging license and data plan, you see the 90-day rolling data storage details in the licensing information.

Procedure

Step 1

Choose Administration > Logging Settings.

Step 2

Click View Logging Storage Usage.

Tip

 

Alternatively, navigate to Events & Logs > Events > Event Logging and then click the Storage Utilization button to view the Security Analytics and Logging license information.

The Event Logging Insights and Storage Usage dashboard provides a comprehensive overview of your Security Analytics and Logging license subscription:

  • Retention policy: Displays the event log retention period according to your subscription. Event data that is older than your retention period is removed daily, and you always retain access to all event data within your full retention period.

  • Storage capacity: Displays the total entitled data under your Security Analytics and Logging license, the amount of storage currently used, and the remaining available storage.

View Security Analytics and Logging Storage usage and event ingest rate

View the current Security Analytics and Logging storage utilization and analyze event logging trends. You can analyze the storage utilization trends by event type, device type, and individual devices to gain deeper insights into storage utilization patterns. Use the data visualizations for quick and easy analysis. This helps you assess the current storage capacity and take measures to reduce the logging rate if the storage utilization approaches the limits that are specified in your Security Analytics and Logging license.

Procedure

Step 1

Choose Administration > Logging Settings.

Step 2

Click View Logging Storage Usage.

Tip

 

Alternatively, navigate to Events & Logs > Events > Event Logging from the left navigation bar, and then click the Storage Utilization button to view the Security Analytics and Logging storage usage and event ingestion trends.

Step 3

Use these dashboards to customize and analyze storage utilization and gain insights into event logging trends in your firewall deployment:

  • Usage Trends: Displays the event logging storage usage for the last 12 months. Hover over a bar to see the data usage for the corresponding month.

  • Events per second (EPS) trends: Displays the event ingest rate for the onboarded devices. Customize your events per second trends view for a specific time period or device to get more granular data. You can filter the data for the past 1 week, 2 weeks, 3 weeks, or 1 month.

    Note

     

    The device drop-down list displays the managed firewall devices that are sending events to the Cisco Security Cloud.

  • Utilization by event type trends: Displays event data storage used, in bytes per day, for different event types. Use this widget to monitor storage use by event types and identify surges, if any, or unusual changes in storage use for specific event types. This insight enables you to adjust logging settings for a specific event type and manage storage use.

  • Utilization by device type trends: Displays event data storage used, in bytes per day, for each managed device type. Use this widget to monitor storage use by the device type and identify surges, if any, or unusual changes in storage use for a specific type of device.

  • Utilization by device trends: Displays event data storage used, in bytes per day, for each security device that sends events to Security Cloud Control. This widget focuses on devices with storage use exceeding the average bytes per second value, showing only the top five devices to improve usability. Use this widget to monitor storage use for each device and identify surges or unusual changes. This insight allows you to adjust logging settings for specific devices and manage storage use effectively.

Extend event storage duration and increase event storage capacity

To extend your rolling event storage or increase your event cloud storage, follow these steps:

Procedure

Step 1

Log in to your account on Cisco Commerce.

Step 2

Select your Security Cloud Control PID.

Step 3

Follow the prompts to upgrade the duration or capacity of your storage.

The increased cost will be prorated based on the term remaining on your existing license. See the Guidelines for Quoting Cisco Defense Orchestrator Products for detailed instructions.

View Security Analytics and Logging alerts

View alerts and notifications for the Security Analytics and Logging configurations and event settings for the managed firewall devices.

Procedure

Step 1

Choose Administration > Logging Settings.

Step 2

Click the View Logging Storage Usage button.

Tip

 

Alternatively, navigate to Events & Logs > Events > Event Logging from the left navigation bar, and then click Storage Utilization to view the Security Analytics and Logging license information.

The Alerts and Notifications section displays alerts about the settings that impact event logging. These alerts enable you to take action to resolve any issues. Some of these settings include:

  • Sending events to cloud setting is disabled.

  • Sending events to the cloud setting is disabled at device level.

  • Secure Event Connector becomes unavailable.

  • Increase in events ingestion rate.

Frequently asked questions about Security Analytics and Logging license

Which data gets counted against my Security Analytics and Logging allotment?

All events sent to the Cisco cloud directly or to the Secure Event Connector accumulate in Security Analytics and Logging and count against your data allotment.

Filtering the events viewer does not decrease the number of stored events in Security Analytics and Logging. It only reduces the number of events you see in the events viewer.

We're using up our storage allotment quickly. What should I do?

Here are two approaches to address that problem:

  • Request more storage.

  • Consider reducing the number of rules that log events. You can log events from SSL policy rules, security intelligence rules, access control rules, intrusion policies, and file and malware policies. Review your current logging settings to determine if you need to log events from all the rules and policies that you have configured.

What happens to my data if my Security Analytics and Logging license expires?

If your paid Security Analytics and Logging license expires, event ingestion from your firewalls stops immediately. However, your existing data remains accessible in the Security Analytics and Logging cloud for a 180-day grace period. If you renew your paid license during this grace period, your service continues without interruption. If you do not renew within these 180 days, all your data is permanently deleted.

If I purchase a Security Analytics and Logging subscription with a 1-year retention period and a 5-year term, will my data be stored for all 5 years?

The retention period defines how long each log is stored. With a 1-year retention period, only the most recent 1-year log data is available at any given time. Log data older than 1 year is overwritten or deleted when new data is collected. A 5-year term means that data for that duration will continue to be ingested, but the retention limit is applicable to the log data itself.

Overview of Security Analytics and Logging for Catalyst SD-WAN

The Secure Router integrates firewall capabilities into its architecture, ensuring robust security across distributed networks.

  • Catalyst SD-WAN integrates security features directly into the SD-WAN fabric, enabling secure Direct Internet Access (DIA) and Direct Cloud Access (DCA).

  • It includes next-generation firewall, integrated intrusion prevention capabilities, and URL filtering.

  • The Catalyst SD-WAN platform enables you to enforce centralized policies for all users, extending enterprise VPN architectures into your private cloud.

Onboard Catalyst SD-WAN Manager to Security Cloud Control to manage the security capabilities of managed devices.

  • Onboarded Catalyst SD-WAN devices send connection events to Security Analytics and Logging for storage in the cloud data store.

  • Security Analytics and Logging enables you to view connection events from all Catalyst SD-WAN devices in one centralized location—the Event Logging page in Security Cloud Control.

  • On the Event Logging page, you can view, filter, and search for events to perform threat hunting and analyze security rules triggered in your network.

How Catalyst SD-WAN router shares events with Security Cloud Control Firewall Management

This diagram describes how Catalyst SD-WAN shares security events with Security Cloud Control Firewall Management.

Figure 1. Event flow from Catalyst SD-WAN to Security Cloud Control
Remote user traffic flows through Catalyst SD-WAN devices to Security Cloud Control, enabling SOC analysts to monitor events.

Step

Description

1

A remote user accesses the network, and the Catalyst SD-WAN device generates an event log for the corresponding traffic. The device then exports the event data to a PSV file and sends it to Catalyst SD-WAN Manager.

2

Catalyst SD-WAN Manager sends the event data to the SD-WAN Analytics cloud.

3

SD-WAN Analytics stores the event data in cloud to make it accessible for Security Services Exchange and notifies Security Services Exchange.

After receiving the notification from SD-WAN Analytics cloud, Security Services Exchange downloads the event data from SD-WAN AWS cloud.

4

Security Services Exchange converts the event data from PSV to JSON format and sends it to Cisco Security Analytics and Logging (SaaS).

5

Security Analytics and Logging (SaaS) processes the event data using various services to classify and enrich it for use by Security Cloud Control.

Security Analytics and Logging (SaaS) stores the event data in the cloud data store. The event viewer queries this data store to provide security operations center (SOC) analysts with relevant event data.

Requirements and guidelines

  • Onboard the Catalyst SD-WAN Manager to the Security Cloud Control organization where you want to view the security events. For more information, see Onboard Catalyst SD-WAN Manager to Security Cloud Control.

  • Onboard the SD-WAN Analytics services to your Catalyst SD-WAN Manager and enable data collection. For more information, see Onboard Cisco SD-WAN Analytics.

  • A Security Cloud Control Firewall Management organization with a valid Security Analytics and Logging subscription plan. For more information about the subscription plans, see Security Analytics and Logging licenses.

  • Note that this integration supports only viewing the connection events from your Catalyst SD-WAN devices in Security Cloud Control.

  • Ensure that you have a Security Analytics and Logging subscription plan that reflects the number of events the Cisco cloud receives from your on-boarded Catalyst SD-WAN devices on a daily basis. This is called your daily ingest rate. You can use the Logging Volume Estimator tool to estimate your daily ingest rate and as that rate changes you can update your data plan.

  • If you do not have a Security Analytics and Logging plan subscribed, you can request a 90-day trial by logging in to Security Cloud Control and navigating to Events & Logs > Events > Event Logging tab. You can accurately estimate your daily ingest rate and purchase the desired subscription plan by following the instructions in the Security Cloud Control Firewall Management Ordering Guide.

View Catalyst SD-WAN events in Security Cloud Control Firewall Management

Before you begin

Ensure that you have met all the requirements described in Requirements and guidelines.

Procedure

Step 1

In the navigation pane, choose Events & Logs > Events > Event Logging.

Step 2

Click the filter () icon.

Step 3

Scroll to the Catalyst SD-WAN Events section and check the Connection check box.