Nybble Security Analytics: Onboard a Cisco Device
Before you begin
Onboarding a network device requires a filebeat collector somewhere in your network.
See Nybble Security Analytics: Filebeat collector for further details.
Grab the DNS name of the nearest filebeat collector you've installed in your network.
Cisco AMP onboarding
To configure the Cisco AMP fileset you will need to retrieve your client_id
and api_key
from the AMP dashboard.
For more information on how to retrieve these credentials, please reference the Cisco AMP API documentation.
The URL configured for the API depends on which region your AMP is located, currently there are three choices:
- api.amp.cisco.com
- api.apjc.amp.cisco.com
- api.eu.amp.cisco.com
If new endpoints are added by Cisco in the future, please reference the API URL list located at the Cisco AMP API Docs.
To configure the collection on filebeat:
- Locate the cisco AMP section in filebeat.yml to turn on the AMP collection:
amp: enabled: false # turn it to true
- On the same section, fill the
client_id
andapi_key
values:var.client_id: <client_id> var.api_key: <api_key>
- Restart the filebeat agent.
Source for more details: Elastic Filebeat : AMP module
Cisco IOS onboarding
- Locate the cisco IOS section in filebeat.yml to turn on the IOS collection:
Log collection will use syslog, on port 1820, UDP.ios: enabled: false # turn it to true
- restart the filebeat agent.
- Please refer to Cisco IOS documentation related to your device version. Usually, commands to enable syslog are:
logging host <filebeat_ip> logging trap informational
Source for more details: Elastic Filebeat : IOS module
Cisco Umbrella onboarding
The Cisco Umbrella fileset primarily focuses on reading CSV files from an S3 bucket using the filebeat S3 input.
To configure Cisco Umbrella to log to a self-managed S3 bucket please follow the Cisco Umbrella User Guide, and the AWS S3 input documentation to setup the necessary Amazon SQS queue.
Nybble has enabled the 4 supported filesets collection:
- Proxy
- Cloud Firewall
- IP Logs
- DNS logs
To configure the collection on filebeat:
- Locate the cisco Umbrella section in filebeat.yml to turn on the Umbrella collection:
umbrella: enabled: false # turn it to true
- On the same section, fill the
queue_url
,access_key_id
andsecret_access_key
values:var.queue_url: https://<AWS S3 SQS Queue URL> var.access_key_id: <access_key_id> var.secret_access_key: <secret_access_key>
- Restart the filebeat agent.
Source for more details: Elastic Filebeat : Umbrella module