FAQ

Cisco public

Security Analytics and

Logging
Getting Started and Frequently Asked Questions

© 2021 Cisco and/or its affiliates. All rights reserved. Page 1 of 11

Introduction

Cisco Security Analytics and Logging (SAL) is a Central Log Management (CLM) and Advanced Threat
Detection service which delivers scalable Cisco firewall logging and correlated analytics. Central logging
assists in providing visibility, helps troubleshoot network access issues including disruptions, and enables
device and overall network health monitoring. Analytics provides detections against advanced threats. The
service is available in two delivery models:

(a) SAL (SaaS): A hosted Software as a Service (SaaS) which provides storage in the cloud

(b) SAL (On prem): A service which runs on Secure Network Analytics (SNA, formerly Stealthwatch
Enterprise) appliances, hardware or virtual, to store logs in the customers’ own premises

The hosted service connects SAL’s cloud data store to Cisco’s firewall cloud manager, the Cisco Defense
Orchestrator (CDO) via APIs. Similarly, SAL’s on-premises data store is connected via APIs to Cisco’s on-
prem central manager, the Firewall Management Center (FMC). These integrations are enabled by easy
logging configurations, and allow existing capabilities of the managers such as reporting and dashboarding
to utilize logs in SAL for enhanced context, scale and lookback period.

In addition, SAL (SaaS) enables advanced threat detections using non-signature based behavioral
algorithms that can be applied on firewall logs. SAL also provides the option to correlate raw firewall logs
with private network and/or public cloud logs in Secure Cloud Analytics (SCA) for end-to-end visibility and
automated threat detections across the perimeter, private network and public cloud infrastructures. These
analytics and aggregation features are currently available in SAL (SaaS), and are road mapped to be
available on SAL (Op) in the future. The high-level block diagram of the architecture is appended below:

© 2021 Cisco and/or its affiliates. All rights reserved. Page 2 of 11

SAL (SaaS) supports cloud logging for ALL Cisco Firepower Threat Defense (FTD) next generation
firewalls as well as all Cisco Adaptive Security Appliance (ASA) devices, independent of their management
platform, be it Firewall Management Center (FMC), Cisco Security Manager (CSM), Cisco Defense
Orchestrator (CDO), Firepower Device Manager (FDM), or Adaptive Security Device Manager (ASDM).
SAL (On Prem) currently supports ALL FTD/ NGIPS logging, with FTD-Data Plane and ASA platform
logging coming in the fall of 2021. This guide overviews the steps necessary to send and analyze Cisco
firewall logs in the cloud and on premises using SAL (SaaS) and SAL (Op) respectively.

Steps to Enable SAL (SaaS)

Step 1: SAL (SaaS) trial OR Term Subscription License
● Initiate 60-day free trial; Contact sal-saas-trials@[Link] for queries. OR
● Purchase term-based SAL (SaaS) licenses from Cisco Commerce Website, using PID SAL-SUB and
choosing ‘Cloud Data Store’ option. Refer to the SAL Ordering Guide for more details.
● Purchase SAL (SaaS) via Choice EA 2.0 using ATO PID: E2F-SEC-SAL
● Purchase via Cisco Secure Firewall Small Business Edition Offer (available with FPR 1010 only)
Note: An Estimator Tool is also available for estimating licensing volume (GB/day). SAL licensing is based
on uncompressed log volume and is billed on a GB/day meter.

Step 2: Cisco Defense Orchestrator account for log viewing

● For existing Cisco Defense Orchestrator users: Specify tenant name of existing account you wish to
use at the time of ordering SAL licenses/ initiating SAL trial.
● For new users: SAL Trial or License will trigger creation of a new Cisco Defense Orchestrator
tenant free of charge, which does not require management of Firewalls in Cisco Defense
Orchestrator, or purchase of a separate Cisco Defense Orchestrator license.
Contact cdosales@[Link] for queries.
Step 3: Set-up connectors for SAL (Cloud)
● After setting up a CDO account, next install an on-premises Secure Device Connector (SDC), either
on a CDO VM or your own VM. This step is required even if you do not wish to manage any Firewalls
using CDO. Furthermore, a single SAL/CDO tenant now supports multiple SECs and Cloud SDCs.
● For sending logs to the cloud, SAL uses a Secure Event Connector (SEC) which runs as a container
on the on-premises Secure Device Connector (SDC) set up earlier. Exception to this SDC/ SEC
requirement is when logging FDM/ CDO managed FTDs running Firepower version 6.5 or later,
which can instead send logs direct-to-cloud without an SDC/ SEC. FMC 7.0 simplifies direct to
cloud configuration under Integrations tab in Systems menu.
Step 4: Pointing FTD and ASA logs to SEC
● Once the SEC has been set up in step 3, the next step is to configure the SEC as an external
destination for FTD/ ASA logs. The SEC supports only Syslog and NetFlow Security Event Logs
(NSEL), over UDP and TCP.
● Procedure for pointing syslog differs for different managers supported: FMCs, FDM, CSM, ASDM, or
CDO. Refer to individual product guides for the procedure to point FTD and ASA Syslog to the SEC.
Note: SEC does not listen on the standard TCP/ UDP ports for Syslog/ NetFlow. Refer to the SEC setup
guide for details.

© 2021 Cisco and/or its affiliates. All rights reserved. Page 3 of 11

Step 5: Analyzing your events
Based on the SAL license you have purchased, you can analyze events in the following ways:
Logging and Troubleshooting License
● Once SEC has been set up and logs are flowing to the SAL Cloud, Logs are viewable by navigating
to ‘Monitoring’ and ‘Events Logging’ in the CDO menu bar.
● The event viewer displays live and historical events, which can be searched, filtered and
downloaded. Default view goes back 90 days with 1-, 2- or 3-year options available.
Logging Analytics and Detection License, using Secure Cloud Analytics
● For behavioral threat detections, navigate to the ‘Monitoring’ → Security Analytics’ page in the CDO
menu bar.
● The Security Analytics tab cross-launches into Secure Cloud Analytics for viewing open alerts and
observations, based on firewall logs only. This can be expanded into the private network or public
cloud.
Total Network Analytics and Detection License, using Secure Cloud Analytics
● For combining firewall Logs with Private Network Flow (NetFlow) data, a Secure Cloud Analytics
Virtual sensor is needed to be installed for receiving Internal Network Flow data.
● Once installed and enabled, firewall Logs and Internal traffic logs are analyzed for aggregated threat
detection by Secure Cloud Analytics. Public Cloud logs can also be included in the same Secure
Cloud Analytics instance for analysis. For merging an existing SCA accounts with SAL (SaaS)
account, email swatch-support@[Link].
● The detections available for SAL analytics depend on the log sources enabled (Firewall, Private
Network, Public Cloud), and can be viewed in the Secure Cloud Analytics Alerts Guide.

Steps to Enable SAL (On prem)

Step 1: Appliance requirements
● SAL (On prem) currently runs as an app on Secure Network Analytics (SNA) appliances, as follows:
o A single-node appliance, which is a dedicated and repurposed SNA Management
Console SMC-2210-K9 hardware, or a SMC-Virtual Edition.
o A multi-node appliance, which comprises a SNA SMC-2210, SNA Flow Collector FC-
4210, and a SNA 3-node Data Store cluster DS-6200. All appliances can be in
hardware or virtual editions.
● The Hardware appliances can be purchased via CCW as specified in the Stealthwatch Ordering
Guide. Note that the appliances must run SWE software version 7.3 or later for the SAL (On prem)
app.
● SAL (On prem) can also be run on a virtual appliance, accessible as free download by navigating
to [Link] and the following the paths:
o SNA Mgt Console: Security > Network Visibility and Segmentation > Stealthwatch >
Stealthwatch Management Console Virtual Appliance > Stealthwatch System Software
– 7.3.2.

© 2021 Cisco and/or its affiliates. All rights reserved. Page 4 of 11

 o SNA Flow Collector: Security > Network Visibility and Segmentation > Stealthwatch >
Stealthwatch Flow Collector Virtual Appliance > Stealthwatch System Software – 7.3.2
> Flow Collector NetFlow ISO installer
o SNA Mgt Console: Security > Network Visibility and Segmentation > Stealthwatch >
Stealthwatch Data Store Virtual Appliance > Stealthwatch System Software – 7.3.2.
● The recommended specifications of the virtual machine hosting the appliances to meet scale
specifications of SAL (On prem) can be found in the documentation here.
Step 2: Cisco Security Analytics and Logging (On Premises) Licenses
● Purchase term-based SAL (On Prem) licenses from Cisco Commerce Website, using PID SAL-SUB
and choosing ‘On Premise Data Store’ option. Refer to the SAL Ordering Guide for more details.
● SAL (On prem) licenses are based on daily volume of logging and are Cisco Smart enabled. The
licenses therefore need a customer smart account to be loaded in to for tracking usage.
Note: An Estimator Tool is also available for estimating licensing volume (GB/day). SAL licensing is based
on uncompressed log volume and is billed on a GB/day meter.
Step 3: Configure FTDs to send logs to SAL (Op): To SMC (for Single-node) or Flow Collector (for Multi-
node)
● Once the Secure Network Analytics appliances, hardware or virtual as the case may be, have been
configured with Secure Network Analytics version 7.3.1 or later and the SAL (on Prem) app has
been installed, the Firepower device needs to be configured to send syslog via UDP on port 8514 to
this destination. Refer to the configuration guide for more details. In FMC 7.0 and later, this
configuration has been simplified by a wizard accessible under the ‘Systems’ menu icon on the top
right of the FMC console UI.
Step 4: Accessing log data in FMC and SNA Management Console
● The firewall log data rests in the SNA appliances, and a consolidated event viewer on the SNA
Management Console allows viewing of logs sent to it. The event viewer is accessible by navigating
to ‘Security Analytics and Logging On Prem’ sub menu under the main Dashboards tab in the user
interface.
● In addition, an FMC user can use the firewall logs in the SNA data store to populate the event
viewers, reporting and dashboard in FMC via APIs. The API connectivity is established during the
initial configuration process, and the user needs to choose either the “Automatic’ or “Extended” data
sources option in the FMC to access this much larger pool of data. The “Local’ option will restrict
the FMC on its onboard storage, and not make use of SAL Op data.
Step 5: Context pivot/ Cross Launch
● An additional feature of SAL (On Prem) is that it allows the user to take a context from their FMC
dashboard, Initiator IP for example, and cross-launching directly into SAL (Op) event viewer through
right-clicking and choosing Stealthwatch sub menu. The one-time configuration to enable this
feature is done in the FMC by entering the SMC URL hostname or IP address under the Security
Analytics and Logging sub-menu in the main Settings tab on the right top of the FMC interface.

© 2021 Cisco and/or its affiliates. All rights reserved. Page 5 of 11

Retention Period in Cloud and On-premises
● The retention period for SAL (SaaS), the Cloud Logging hosted solution defaults to 90 days of rolling
storage, irrespective of the logging rate and licensed capacity. Options exist to extend the log
retention period to 1, 2, or 3 years. All retention storage is readily available in the event viewer and
for download and is essentially ‘hot’ storage.
● SAL (Op) on the other hand does not have a ‘fixed storage term’. Instead, retention is a function of
the logging rate and appliance configuration/ size chosen. Even for a given logging rate and
appliance specifications, retention periods can vary based on average event size, the latter being
environment dependent. However, under average deployment conditions, retention periods that can
be expected are specified in the table below. Please note that the numbers are indicative and not
definitive, and should be used accordingly.

Expected Retention period

© 2021 Cisco and/or its affiliates. All rights reserved. Page 6 of 11

 A SAL feature matrix is appended below, that provides a cheat-sheet of the features of each service
delivery, to help guide the user is choosing what works best for their environment and needs.

© 2021 Cisco and/or its affiliates. All rights reserved. Page 7 of 11

FAQs

Q. What is Cisco Security Analytics and Logging (SAL) and how does it work?
Cisco Security Analytics and Logging is a central log management and analytics service. It is offered
as a hosted Software as a Service SAL (SaaS) that logs Cisco Firewall data securely in Cisco’s cloud,
as well as an on premises service, SAL (On prem) that logs into a customer-hosted appliance. SAL
(SaaS) enables firewall log viewing in CDO, and associates a Secure Cloud Analytics instance for
advanced threat detections based on firewall logs. SAL (SaaS) users do NOT need a separate CDO or
SCA license, but get right to use both products for SAL related outcomes. Similarly, SAL (On prem)
license holders get the right to use a free Stealthwatch Management Console (SMC) virtual appliance,
or they can purchase an SMC hardware appliance from Cisco for purposes of log storage.

Q. How can I buy SAL (SaaS) and SAL (Op), and how is it licensed?
It purchased a-la-carte from CCW using Product Id SAL-SUB. SAL (SaaS) is also via Enterprise
Agreement 2.0 using E2F-SEC-SAL, with SAL (Op) in fall 2020 under same ATO. SAL has three
nested licenses, which are based on daily volume. Entitlement is based on uncompressed logging
volume in Gigabytes per day (GB/day) made available to SAL for storage & analysis.

Q. How much storage do I get with Security Analytics and Logging (SaaS) in the cloud?
When you buy a certain daily volume license in GB/day, you are entitled to send that volume of logs to
SAL every day. The daily volume of SAL (SaaS) comes with a default storage period of the most
recent 90 days of logs. For example, a 10GB/day license entitles the user to 90 days * 10GB/day =
900 GB of cloud storage. Any volume sent above the daily entitlement is neither throttled at ingest or
during storage. Therefore, the storage will expand, and not throw data in excess of the entitled 900
GB. Instead, an overage bill may be issued for that month only.

Q. Explain to me how overage is calculated for SAL (SaaS)?

Overage is a monthly true-up, that is done at the end of every calendar month. At the end of the
calendar month the aggregate of all data sent is compared against the monthly entitlement, the latter
being obtained by adding daily entitlement for every day of the month. If the monthly aggregate
exceeds the daily entitlement added up, Cisco reserves the right to generate an overage bill. The
calculation is best illustrated by an example.
E.g., For a SAL (SaaS) license volume of 10GB/day in a 30 day month, say the total data made
available for SAL (SaaS) was 450 GB. This volume can be determined from the historical tab in the
event viewer. The overage is (450GB-300GB)/30 days = 5GB/day. A bill for 5 GB/day may be
generated, at the pricing rate of 1GB/day for 1 month.

Q. How much retention in days do I get with SAL (On prem)?

See expected retention period table in main document above:

Q. What log types does SAL support?

A. SAL (SaaS) supports Cisco Firewalls, both Firepower Threat Defense (FTD) and Adaptive Security
Appliance (ASA) platforms, independent of the management platform or mode. This includes FTD and ASA
firewalls managed by FMC, CDO, FDM, CSM, ASDM or ASA-CLI. In addition, logs from network endpoints
can also be licensed, and SCA’s public cloud flows included separately. SAL (On Prem) only support FTD-

© 2021 Cisco and/or its affiliates. All rights reserved. Page 8 of 11

 NGFW logging as of May 2021, with FTD-data plane (LINA) and ASA syslog support coming in the
summer/ fall of 2021.

Q. Where are logs sent to SAL stored?

A. Logs send to SAL (SaaS) are stored in a cloud-based datacenter located in the Americas or EU. SAL (Op)
stores its logs on a dedicated repurposed Stealthwatch Management console (single node), or dedicated
data store (multi-node) running Stealthwatch version 7.3.2 or later.

Q. Is SAL a Security Information and Event Management (SIEM) solution?

A. SAL is not a SIEM solution, but rather a Central Log Management solution for Cisco logs. Through this
capability, consolidation of logs is achieved for both log viewing and aggregated analytics. Since SAL is a
Cisco specific service, it has greater efficacy than any third party SIEM can to process the logs. However, it
does not replace but compliments a SIEM instead, and allows security alerts and the underlying raw traffic
to be exported to a SIEM using APIs.

Q. Do I need smart account for SAL licenses?

A. SAL (SaaS) licenses are not smart enabled, whereas SAL (Op) licenses are. Therefore, while SAL (SaaS)
licenses do not need a smart account to enable and order, SAL (Op) licenses do.

Q. What appliance requirements are required for SAL (Op)

A. SAL (On prem) is delivered via a free app, which is installed on a Secure Network Analytics hardware of
virtual appliances. The app also runs on a virtual SMC 7.3.2, which is available as a free download by
navigating to [Link] and the following the path: Security > Network
Visibility and Segmentation > Stealthwatch > Stealthwatch Management Console Virtual Appliance >
Stealthwatch System Software – 7.3. The recommended specifications of the virtual machine hosting the
app to meet scale specifications of SAL (On prem) can be found in the documentation here.

Q. How does SAL (SaaS) secure configuration and log data sent to the Cloud?
A. Each account is assigned a tenant identified that is encoded into the Secure Event Connector (SEC), that
runs on a Secure Device Connector (SDC) of CDO, either locally on the customer cloud network. The SEC
creates an encrypted HTTPS tunnel to the Cisco Cloud for data transmission. However, for devices running
Firepower versions 6.5 or later, and for FMC managed FTDs and NGIPS, the direct to cloud route is
available without the need to set up an SDC-SEC. Refer to step 3 of SAL (SaaS) enablement.

Q. Tell me a little more about the logging analysis capability of SAL?

A. SAL (SaaS) centralizes logs from Cisco’s entire fleet of FTD and ASA devices, independent of their
management mode. Both FTD and ASA-NSEL (NetFlow Security Event Logs) logs drive Stealthwatch
detections. What this means is that Secure Cloud Analytics dynamic entity modelling techniques use this
firewall data to inform algorithms for advanced threat detections and can trigger all existing private-network
level and some new custom security alerts in SCA. Alerts driven by firewall logs can certainly be used by
themselves for complimenting firewall rules, but can also be combined with private network and public
cloud logs for full end-to-end visibility.

© 2021 Cisco and/or its affiliates. All rights reserved. Page 9 of 11

Q. Can I use SAL (SaaS) and SCA analytics together?
A. Yes. The highest tier license, Total Network Analytics (TA) combines analysis of SAL/ Firewall log data with
data from 10 endpoints per 1GB/day of SAL licensed volume. Therefore, a 10GB/day TA license entitles
100 endpoints. If additional endpoint licenses are necessary, or cloud logging licenses are necessary,
these can be together with SAL, or a-la-carte via SCA ordering later.

Q. Does SAL integrate with Cisco Threat Response (CTR) and SecureX?
A. Yes. Native CDO and SCA integrations with SecureX are available to SAL (SaaS) users.

Q. How long can logs sent to SAL (SaaS) be retained?

A. Device log data sent to SAL is retained by default for 90 days at no extra charge. One, two, and three-year
data retention plans are available for a nominal license fee.

Q. Can I retrieve log files from SAL (SaaS) in the Cloud or SAL (On prem)?
A. Yes. SAL customers can download their data from the Cisco Cloud onto their local machine.

Q. Do I have to buy CDO to buy SAL (SaaS)?

A. No. SAL’s event viewer in CDO is included as part of the SAL license/ trial.

Q. I have already purchased CDO. Can I add SAL (SaaS)?

A. Yes. CDO management is not mandatory for SAL, but existing CDO accounts can enable SAL.

Q. Is a SAL (SaaS) evaluation trial available?

A. Yes, a no obligation 60-day free trial is available: [Link]

Q. Is SAL (Op) evaluation trial available?

Yes. As a part of the Smart Licensing process, a 90-day evaluation for SAL (Op) can be run without
being non-compliant. On expiry of the 90-day evaluation period, a paid SAL (Op) license will need to
be associated with your smart account for avoiding being an out of compliance user.

Q. What are the core capabilities available through SAL (SaaS) licenses?
A. There are 3 license tiers for SAL (SaaS):

1. Logging and Troubleshooting: Log storage, viewing and download. Default logs retention period is 90-
days rolling storage, with 1, 2 or 3 years with extensions available.
2. Logging Analytics & Detection: Advanced threat detections via Secure Cloud Analytics. Firewall log data
is sent to Secure Cloud Analytics which can generate alerts specific to firewall logs.
3. Total Network Analytics & Detection- Deploy sensors within the network for private network and public
cloud monitoring.

© 2021 Cisco and/or its affiliates. All rights reserved. Page 10 of 11

© 2021 Cisco and/or its affiliates. All rights reserved. Page 11 of 11