Cisco Security Analytics and Logging Getting Started
- Type
- Getting Started
Getting Started with Cisco Security Analytics and Logging (On
Premises)
First Published: 2021-05-26
Last Modified: 2021-05-26
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
©2021 Cisco Systems, Inc. All rights reserved.
CHAPTER 1
Getting Started with Cisco Security Analytics
and Logging (On Premises): Firepower Event
Integration
If you want to store Firepower event data in the Cisco cloud, as opposed to on-premises, see the Cisco Security
Analytics and Logging (SaaS) documentation for more information.
Note
•Concepts and Architecture, on page 1
•Reference Documentation, on page 3
•Requirements and Best Practices, on page 4
•Stealthwatch Licensing, on page 8
•Stealthwatch Resource Allocation, on page 8
•Communication Ports, on page 11
•Configuration Overview, on page 12
•Next Steps, on page 13
Concepts and Architecture
In a Cisco Security Analytics and Logging (On Premises) deployment, you can use a Stealthwatch appliance
to store data from another Cisco product deployment, such as a Firepower appliance deployment. In the case
of the Firepower deployment, you can export your Firepower connection (including Security Events), intrusion,
file, and malware events from your Firepower Threat Defense devices managed by a Firepower Management
Center to a Stealthwatch Management Console to store that information.
You have two options for Stealthwatch deployment:
• Single-node - Deploy a standalone Stealthwatch Management Console to receive and store events, and
from which you can review and query events
• Multi-node - Deploy a Flow Collector to receive events, a Data Store (containing 3 Data Nodes) to store
events, and a Stealthwatch Management Console from which you can review and query events
See the following diagram for an example of a Single-node deployment with a Stealthwatch Management
Console:
Getting Started with Cisco Security Analytics and Logging (On Premises)
1
In this deployment, the Firepower Threat Defense devices send Firepower events to the Stealthwatch
Management Console, and the Stealthwatch Management Console stores these events. From the Firepower
Management Center UI, users can cross-launch to the Stealthwatch Management Console to view more
information about the stored events. They can also query remotely the events from the Firepower Management
Center.
See the following diagram for an example of a Multi-node deployment with a Stealthwatch Management
Console, 3 Data Nodes, and a Flow Collector:
In this deployment, the Firepower Threat Defense devices send Firepower events to the Flow Collector. The
Flow Collector sends the events to the Data Store (3 Data Nodes) for storage. From the Firepower Management
Center UI, users can cross-launch to the Stealthwatch Management Console to view more information about
the stored events. They can also query remotely the events from the Firepower Management Center.
Getting Started with Cisco Security Analytics and Logging (On Premises)
2
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Concepts and Architecture
Reference Documentation
The following table describes relevant reference documentation for Cisco Security Analytics and Logging
(On Premises) appliance compatibility, deployment, and use:
Table 1:
DescriptionDocument
Review the Firepower Release Notes to understand
the latest information about the current Firepower
release, including last-minute information.
Firepower Release Notes
Review the Stealthwatch Smart Licensing Guide to
understand how to register your Stealthwatch product
instance and license your Stealthwatch appliances.
Stealthwatch Smart Licensing Guide
Review the Stealthwatch Installation Guide to
understand how to deploy your Stealthwatch
appliances for a Single-node deployment.
Stealthwatch Installation Guide
Review the Stealthwatch Configuration Guide to
understand how to configure your Stealthwatch
appliances for a Single-node deployment.
Stealthwatch Configuration Guide
Review the Stealthwatch Data Store Deployment and
Configuration Guide to understand how to configure
your Stealthwatch appliances for a Multi-node
deployment.
Stealthwatch Data Store Deployment and
Configuration Guide
Review the Stealthwatch Enterprise Release Notes to
understand the latest information about the current
Stealthwatch Enterprise release, including last-minute
information.
Stealthwatch Enterprise Release Notes
Review the Cisco Security Analytics and Logging
(On Premises) Release Notes to understand the latest
information about the current Cisco Security Analytics
and Logging (On Premises) release and Cisco Security
Analytics and Logging (On Premises) app, including
last-minute information.
Security Analytics and Logging Release Notes
If you have not already deployed Firepower or configured your Firepower deployment to generate the expected
connection, intrusion, file, and malware events, see the following:
Getting Started with Cisco Security Analytics and Logging (On Premises)
3
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Reference Documentation
Table 2:
DescriptionDocument
Review the Firepower Compatibility Guide to
understand the version support for Firepower
Management Center and Firepower Threat Defense
device appliance models.
Firepower Compatibility Guide
Review the Firepower Installation and Configuration
Guides to understand how to install and configure
your Firepower appliances.
Firepower Installation and Configuration Guides
Review the Firepower Management Center
Configuration Guide to understand Firepower
appliance licensing and configuration of your
Firepower Threat Defense devices managed by your
Firepower Management Center, access control
policies, intrusion policies, and file policies.
Firepower Management Center Configuration Guide
Requirements and Best Practices
The following lists the requirements and best practices for deploying Cisco Security Analytics and Logging
(On Premises) to store your Firepower event data.
The following tables provide a high-level overview of the solution components required to use a Stealthwatch
Management Console to store Firepower event data in a Cisco Security Analytics and Logging (On Premises)
deployment:
Firepower Appliances
You must deploy the following Firepower appliances:
NotesLicensing for Cisco
Security Analytics and
Logging (On Premises)
Required VersionSolution Component
• can deploy one
Stealthwatch
Management
Console per
Firepower
Management Center,
and optionally one
Flow Collector and
one Data Store (3
Data Nodes)
none7.0
For Firepower
Management Center
running earlier versions,
see https://cisco.com/go/
sal-on-prem-docs.
Firepower Management
Center (hardware or
virtual)
Getting Started with Cisco Security Analytics and Logging (On Premises)
4
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Requirements and Best Practices
NotesLicensing for Cisco
Security Analytics and
Logging (On Premises)
Required VersionSolution Component
Multiple Firepower Threat
Defense devices managed
by one Firepower
Management Center can
export events to the same
Stealthwatch deployment
none7.0 using the wizard
Firepower Threat Defense
6.4 or later using syslog
Firepower managed
devices
Firepower Threat Defense
device (hardware or
virtual) managed by FMC
Stealthwatch Appliances
You have the following options for deploying Stealthwatch:
•Single-node - Deploy only a Stealthwatch Management Console to ingest and store events, and review
and query events
•Multi-node - Deploy a Flow Collector to ingest events, Data Store to store events, and Stealthwatch
Management Console to review and query events
You can deploy a hardware Data Store (DS 6200) with 3 hardware Data Nodes
alongside a hardware Stealthwatch Management Console (SMC 2210) and a
hardware Flow Collector (FC 4210), or you can deploy a Data Store VE with 3
Data Nodes VE alongside a Stealthwatch Management Console VE and a Flow
Collector VE. You cannot deploy a mix of Stealthwatch hardware and
Stealthwatch VE appliances.
Note
Getting Started with Cisco Security Analytics and Logging (On Premises)
5
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Requirements and Best Practices
Table 3: Single-node
NotesLicensing for Cisco
Security Analytics and
Logging (On Premises)
Required VersionSolution Component
• can deploy either an
Stealthwatch
Management
Console 2210
hardware appliance
or Stealthwatch
Management
Console Virtual
Edition (VE)
appliance
• can receive events
from multiple
Firepower Threat
Defense devices, all
managed by one
Firepower
Management Center
• must install the
Cisco Security
Analytics and
Logging (On
Premises) app for
event ingest, and for
viewing Firepower
events in the
Stealthwatch
Management
Console Web App
noneStealthwatch 7.3.1+Stealthwatch Management
Console
Install this app on the
Stealthwatch Management
Console and configure to
enable event ingest
Logging and
Troubleshooting Smart
License, based on GB/day
Cisco Security Analytics
and Logging (On
Premises) app 2.0+
Cisco Security Analytics
and Logging (On
Premises) app
Getting Started with Cisco Security Analytics and Logging (On Premises)
6
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Requirements and Best Practices
Table 4: Multi-node
NotesLicensing for Cisco
Security Analytics and
Logging (On Premises)
Required VersionSolution Component
• can deploy either an
Stealthwatch
Management
Console 2210
hardware appliance
or Stealthwatch
Management
Console Virtual
Edition (VE)
appliance
•must install theCisco
Security Analytics
and Logging (On
Premises) app for
event ingest, and for
viewing Firepower
events in the
Stealthwatch
Management
Console Web App
noneStealthwatch 7.3.2+Stealthwatch Management
Console
• can deploy either a
Flow Collector 4210
hardware appliance
or Flow Collector
VE appliance
• can receive events
from
multipleFirepower
Threat Defense
devices, all managed
by one Firepower
Management Center
noneStealthwatch 7.3.2+Flow Collector
Getting Started with Cisco Security Analytics and Logging (On Premises)
7
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Requirements and Best Practices
NotesLicensing for Cisco
Security Analytics and
Logging (On Premises)
Required VersionSolution Component
• can deploy either a
Data Store 6200 (3
Data Nodes)
hardware or Data
Store VE (3 Data
Nodes VE)
• can store Firepower
events from multiple
Firepower Threat
Defense devices and
received by the Flow
Collector
noneStealthwatch 7.3.2+Data Store (3 Data Nodes)
Install this app on the
Stealthwatch Management
Console and configure to
enable event ingest
Logging and
Troubleshooting Smart
License, based on GB/day
Cisco Security Analytics
and Logging (On
Premises) app 2.0+
Cisco Security Analytics
and Logging (On
Premises) app
In addition to these components, you must make sure that all of the appliances can synchronize time using
NTP.
If you want to remotely access the Firepower or Stealthwatch appliances' consoles, you can enable access
over SSH.
Stealthwatch Licensing
You can use SAL (OnPrem) for 90 days without a license in Evaluation Mode. To continue using SAL
(OnPrem) after the 90 day period, you must obtain a Logging and Troubleshooting Smart License for Smart
Licensing, based on the GB per day you anticipate sending in syslog data from your Firepower deployment
to your Stealthwatch appliance.
For license calculation purposes, the amount of data is reported to the nearest whole GB, truncated. For
example, If you send 4.9 GB in a day, it is reported as 4 GB.
Note
See the Stealthwatch Smart Software Licensing Guide for more information on licensing your Stealthwatch
appliances.
Stealthwatch Resource Allocation
Stealthwatch offers the following ingest rates when deployed for Cisco Security Analytics and Logging (On
Premises):
Getting Started with Cisco Security Analytics and Logging (On Premises)
8
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Stealthwatch Licensing
• a hardware or virtual edition (VE) Single-node deployment can ingest up to roughly 20k events per
second (EPS) on average, with short bursts of up to 35k EPS
• a virtual edition (VE) Multi-node deployment can ingest up to roughly 50k EPS on average, with short
bursts of up to 175k EPS
• a hardware Multi-node deployment can ingest up to roughly 100k EPS on average, with short bursts of
up to 350k EPS
Based on the allocated hard drive storage, you can store the data for several weeks or months. These estimates
are subject to various factors, including network load, traffic spikes, and information transmitted per event.
The SAL (OnPrem) app, installed on a Single-node deployment, is designed to support an average of 20k
EPS, with short bursts of up to 35k EPS. The SAL (OnPrem) app, installed on a Multi-node deployment, is
designed to support an average of 100k EPS, with short bursts of up to 300k EPS. At higher EPS ingest rates,
the app may drop data. In addition, if you send all event types, instead of only connection, intrusion, file, and
malware events, the app may drop data as your overall EPS rises. Review the log files in this case.
Note
Single-node VE Recommendations
For optimum performance, allocate the following resources if you deploy a Stealthwatch Management Console
VE:
RecommendationResource
12CPUs
64 GBRAM
2 TBHard drive storage
Based on the storage space that you allocate, you can store your data for roughly the following time frames
on a Single-node deployment:
Estimated Retention
Period for 4 TB
Storage
Estimated Retention
Period for 2 TB
Storage
Estimated Retention
Period for 1 TB
Storage
Average Daily
Events
Average EPS
1000 days500 days250 days86.5 million1,000
200 days100 days50 days430 million5,000
100 days50 days25 days865 million10,000
50 days25 days12.5 days1.73 billion20,000
When the Stealthwatch Management Console reaches maximum storage capacity, it deletes the oldest data
first to make room for incoming data.
Getting Started with Cisco Security Analytics and Logging (On Premises)
9
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Stealthwatch Resource Allocation
We have tested the Stealthwatch Management Console VE with these resource allocations for this estimated
ingest and storage period. You may note unanticipated errors due to insufficient resource allocation if you do
not assign enough CPUs or RAM to the virtual appliance. If you increase the storage allocation beyond 4 TB,
you may note unanticipated errors due to insufficient resource allocation.
Note
Multi-node Recommendations
For optimum performance, allocate the following resources if you deploy a Stealthwatch Management Console
VE, Flow Collector VE, and Data Store VE:
Table 5: Stealthwatch Management Console VE
RecommendationResource
8 Intel Xeon, minimum 2.29 GHzCPUs
64 GBRAM
480 GBHard drive storage
Table 6: Flow Collector VE
RecommendationResource
8 Intel Xeon, minimum 2.29 GHzCPUs
70 GBRAM
480 GBHard drive storage
Table 7: Data Nodes VE (as part of a Data Store)
RecommendationResource
12 Intel Xeon, minimum 2.29 GHz per Data NodeCPUs
32 GB per Data NodeRAM
5 TB per Data Node VE, or 15 TB total across 3 Data
Nodes
Hard drive storage
Based on the storage space that you allocate, you can store your data for roughly the following time frames
on your Multi-node deployment:
HardwareVirtualAverage Daily EventsAverage EPS
3,000 days1,500 days86.5 million1,000
600 days300 days430 million5,000
300 days150 days865 million10,000
Getting Started with Cisco Security Analytics and Logging (On Premises)
10
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Stealthwatch Resource Allocation
HardwareVirtualAverage Daily EventsAverage EPS
150 days75 days1.73 billion20,000
120 days60 days2.16 billion25,000
60 days304.32 billion50,000
40 daysNot supported6.48 billion75,000
30 daysNot supported8.64 billion100,000
When the Data Store reaches maximum storage capacity, it deletes the oldest data first to make room for
incoming data.
We have tested these virtual appliances with these resource allocations for this estimated ingest and storage
period. You may note unanticipated errors due to insufficient resource allocation if you do not assign enough
CPUs or RAM to the virtual appliance. If you increase the storage allocation beyond 4 TB, you may note
unanticipated errors due to insufficient resource allocation.
Note
Communication Ports
The following table lists the communication ports you must open for the SAL (OnPrem) integration for a
Single-node deployment.
Protocol or PurposePortTo (Server)From (Client)
NTP time
synchronization, all to the
same NTP server
123/UDPFirepower Management
Center, Firepower Threat
Defense devices, and
Stealthwatch Management
Console
external internet (NTP
server)
logging into the
appliances' web interfaces
over HTTPS using a web
browser
443/TCPFirepower Management
Center and Stealthwatch
Management Console
user workstations
syslog export from
Firepower Threat Defense
devices, ingest to
Stealthwatch Management
Console
8514/UDPStealthwatch Management
Console
Firepower Threat Defense
devices managed by a
Firepower Management
Center
The following table lists the communication ports you must open for the SAL (OnPrem) integration for a
Multi-node deployment. In addition, see the Data Store Hardware Deployment and Configuration Guide or
the Data Store Virtual Edition Deployment and Configuration Guide for the ports you must open for your
Stealthwatch deployment.
Getting Started with Cisco Security Analytics and Logging (On Premises)
11
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Communication Ports
Protocol or PurposePortTo (Server)From (Client)
NTP time
synchronization, all to the
same NTP server
123/UDPFirepower Management
Center, Firepower Threat
Defense devices,
Stealthwatch Management
Console, Flow Collector,
and Data Store
external internet (NTP
server)
logging into the
appliances' web interfaces
over HTTPS using a web
browser
443/TCPFirepower Management
Center and Stealthwatch
Management Console
user workstations
syslog export from
Firepower Threat Defense
devices, ingest to Flow
Collector
8514/UDPFlow CollectorFirepower Threat Defense
devices managed by a
Firepower Management
Center
Configuration Overview
The following describes the high-level steps for configuring your deployment to store event data.
Review these tasks before starting your deployment.
Table 8:
StepsComponent and Task
You have the following options:
•Deploy a Stealthwatch Management Console 2210 to your network, and perform
initial configuration, including assigning an eth0 management interface
IP address and other information. See the x2xx Series Hardware Installation
Guide and Stealthwatch System Configuration Guide for more information.
• Download the Stealthwatch Management Console VE ISO, and deploy the
Stealthwatch Management Console VE to your hypervisor. Perform initial
configuration, and assign an eth0 management interface IP address and other
information. See the Stealthwatch Virtual Edition Installation Guide for more
information.
Deploy Single-node
Getting Started with Cisco Security Analytics and Logging (On Premises)
12
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Configuration Overview
StepsComponent and Task
You have the following options:
• Deploy a hardware Stealthwatch Management Console, Flow Collector, and
3 Data Nodes to your network. Perform initial configuration for each appliance,
and initialize the Data Store. See Install Stealthwatch Enterprise Version 7.3.x
with Hardware Appliances for more information.
• Download the Stealthwatch Management Console VE ISO, Flow Collector
VE ISO, and Data Node ISO. Deploy one Stealthwatch Management Console
VE, one Flow Collector VE, and 3 Data Nodes VE to your hypervisor. Perform
initial configuration for each appliance, and initialize the Data Store. See Install
Stealthwatch Enterprise Version 7.3.x with Virtual Appliances for more
information.
Deploy Multi-node
• On the Stealthwatch Management Console, go to App Manager in Central
Management and download the app. Configure it to receive events from
Firepower devices.
• See the SAL (OnPrem) release notes and app help for more information on
using the app.
Download and install
the SAL (OnPrem) app
on your Stealthwatch
Management Console,
and configure your
Stealthwatch
deployment to receive
and store Firepower
events.
Configure the Firepower Management Center to send events to your Stealthwatch
appliance.
Configure the
Firepower
Management Center to
send events to SAL
(OnPrem)
Review the Next Steps:
• Review the Firepower online help for more information.
• Review the Stealthwatch Management Console Web App online help for more
information on how to use Stealthwatch.
Review Next Steps
Next Steps
After you configure your Firepower deployment to pass syslog event data to your Stealthwatch appliance as
part of SAL (OnPrem), you can take the following steps:
• Review the Firepower Management Center online help to learn more about Firepower.
• Review the Stealthwatch Management Console Web App online help to learn more about Stealthwatch.
Getting Started with Cisco Security Analytics and Logging (On Premises)
13
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Next Steps
Getting Started with Cisco Security Analytics and Logging (On Premises)
14
Getting Started with Cisco Security Analytics and Logging (On Premises): Firepower Event Integration
Next Steps
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
Cisco Security Analytics and Logging Getting Started
- Type
- Getting Started
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
Cisco Stealthwatch Data Store Virtual Appliance Configuration Guide
-
-
Cisco Stealthwatch UDP Director Installation guide
-
Cisco Stealthwatch UDP Director 2210 Installation and Configuration Guide
-
-
-
-
Cisco Secure Firewall Management Center Configuration Guide
-
-
Cisco FirePOWER 8000 Series Appliances Configuration Guide