Send Events to the Cloud Using Syslog

About Integration via Syslog

From threat defense release 6.3 onwards, you can use syslog to send supported events to the Cisco cloud from devices. You can set up an on-premises Cisco Security Services Proxy (CSSP) server and configure your devices to send syslog messages to this proxy.

Every 10 minutes, the proxy forwards collected events to Security Services Exchange from where the events can be promoted to various Cisco Security Cloud services, including Cisco XDR, to enrich your event analysis and investigations.

Requirements for Integration Using Syslog

Requirement Type

Requirement

Threat Defense device version

6.3 or later.

Account on the regional cloud that you will use

See Account Required for Cisco XDR Integration.

Licensing

  • Your Secure Firewall deployment must be licensed to generate the events that you want to send to the Cisco cloud.

    For details, see the Licensing Information.

  • This integration is not supported under an evaluation license.

  • Your environment cannot be deployed in an air-gapped environment.

  • Cisco XDR is a separately licensed product. It requires an additional subscription beyond the licenses for Cisco Secure Firewall products.

    For more information, see Cisco XDR Licenses.

General

Your threat defense device is generating events as expected.

How to Send Events to the Cisco Security Cloud Using Syslog and Integrate with Cisco XDR


Note

If your devices are already sending events to the Cisco Security Cloud, you do not need to configure sending them again.

Step

Do This

More Information
Step 1

Decide the following:

  • Types of events you want to send to the cloud.

  • The method of sending events.

  • The regional cloud to use for sending the events.

 See About Secure Firewall Threat Defense and Cisco XDR Integration.

Step 2

Meet the requirements for syslog integration.

See Requirements for Integration Using Syslog.

Step 3

Access Security Services Exchange, the cloud portal that you will use for managing devices and filtering events for Cisco XDR integration.

See Access Security Services Exchange.

Step 4

Install and configure a Cisco Security Services Proxy server.

Download the free installer and instructions from Security Services Exchange:

In Security Services Exchange, from the Tools icon near the top-right of the browser window, select Downloads.

Step 5

In Security Services Exchange, enable features.

Click Cloud Services and enable the following options:

  • Cisco SecureX threat response or Cisco XDR

  • Eventing

Step 6

Configure your devices to send syslog messages for supported events to the proxy server.

Step 7

In your product, ensure that the messages identify the device that generated each event.

  • In the device manager:

    Specify a hostname in Device > Hostname.

  • In the management center:

    Under the Platform Settings Syslog Settings tab, Enable Syslog Device ID, and specify an identifier.

Step 8

In Security Services Exchange, configure the system to automatically promote significant events.

Important

 

If you do not automate event promotion, you must manually review, and promote events to view them in Cisco XDR.

See information in the online help in Security Services Exchange about promoting events.

To access Security Services Exchange, see Access Security Services Exchange.

Step 9

(Optional) In Security Services Exchange, configure automatic deletion of certain non significant events.

For more information on filtering events, see Security Services Exchange online help.

To access Security Services Exchange, see Access Security Services Exchange.

Step 10

Verify that your events appear as expected in Security Services Exchange and troubleshoot if necessary.

See:

Access Security Services Exchange

Before you begin

In your browser, disable pop-up blocking.

Procedure

Step 1

In a browser window, go to the Security Services Exchange admin portal using the URL: https://admin.sse.itd.cisco.com.

Step 2

Sign in using the credentials for your Cisco security cloud sign on, Secure Endpoint , Secure Malware Analytics, or Cisco Security account.

Note that your account credentials are specific to the regional cloud.

Verify that Events Reach Security Services ExchangeUsing Syslog

Before you begin

Verify that the events appear in the device as you expected.

Procedure

Step 1

Wait for about 15 minutes after your device has detected a supported event to allow messages to be forwarded from the proxy to Security Services Exchange.

Step 2

Login to your Security Services Exchange account. For more information, see Access Security Services Exchange.

Step 3

In Security Services Exchange, click Events.

Step 4

Look for events from your device.

If you do not see the expected events, see Troubleshoot a Syslog Integration.

Troubleshoot a Syslog Integration

Events are not reaching Cisco Security Services Proxy

Make sure your devices can reach Cisco Security Services Proxy on the network.

Problems accessing the cloud

  • If you activate your cloud account immediately before attempting to configure this integration and you encounter problems implementing this integration, try waiting an hour or two and then log in to your cloud account.

  • Make sure you are accessing the correct URL for the regional cloud associated with your account.

Expected events are missing from the events list

Check the following:

  • Verify that the expected events appear on the device.

  • In Security Services Exchange, check your configurations for automatic deletion (filtering out events) in the Eventing settings on the Cloud Services page.

  • Make sure you are viewing the regional cloud to which you are sending your events.

Questions about Syslog Fields

For syslog fields and descriptions, see the Threat Defense Syslog Messages.