Configure Splunk in Cloud-Delivered Firewall Management Center
Before you begin:
-
Ensure that the Splunk server can be reached by Firewall Threat Defense device.
-
The Cisco Secure Firewall App in Splunk does not support TLS. Hence, if you choose to use the TLS protocol to send events to Splunk, configure TLS on the Splunk server. For TLS configuration instructions, see the section Configure Splunk indexing and forwarding to use TLS certificates under Manage Users and Security in the Splunk Administer guide.
-
Create required objects such as host, security zone, interface group, certificate, and so on, before starting the configuration procedure. Although you can navigate from the Splunk integration wizard to create objects, having them in advance will provide a smoother integration experience.
The Splunk integration wizard allows you to create a profile that enables you to stream events and syslog from managed devices to a specific server.
You can create multiple profiles to configure any number of servers for various combinations of devices and events. For example, you can create multiple profiles to send a specific set of events to one server and all the remaining events to a different server. Each profile is independent, but they all apply additively.
To open the Splunk integration wizard, go to .
The steps for configuring Splunk integration in Cloud-Delivered Firewall Management Center are listed in this table.
|
Do This |
More Information |
|
|---|---|---|
|
Step 1 |
Configure Splunk or similar SIEM tool server. |
See Configure Splunk Server. |
|
Step 2 |
Choose the event types that you want to send to the Splunk server. |
See Select Event Types. |
|
Step 3 |
Specify the devices and the interfaces from which you want to send syslog events to Splunk. |
|
|
Step 4 |
(Optional) Specify the device certificate to be used for sending events securely to Splunk. |
|
|
Step 5 |
View the summary of the profile that is being created. |
See Summary. |