Skip to main content
Skip table of contents

Initialize the Cisco AMP Beat

As of the November 2020 release (OC2020.11), we are supporting log collection for Cisco AMP audit logs. To start collecting Cisco AMP audit logs, update your existing beat. You do not need to provide any extra inputs.

Prerequisites

  • The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
  • You have the required keys: Cisco Client ID and API Key.

  • The following port is open:

    Direction

    Port

    Protocol

    Source

    Outbound443HTTPSciscoampbeat

Initialize the Beat

  1. Confirm the Open Collector is running:

    CODE 
    ./lrctl status

    You should see the open_collector and metrics as shown in the following graphic:

    If the Open Collector is not running correctly, see the Troubleshoot the Open Collector topic in the Open Collector Installation and User Guide.

  2. Start the beat:

    CODE 
    ./lrctl ciscoampbeat start

  3. Enter the following details:

    The Cisco AMP Client ID and API key are saved in encrypted format.

    1. Cisco AMP Client ID:

    2. Cisco AMP API Key:

    3. URL Address for preferred region: 

      It’s important to note that the API is location-based and varies depending on where your AMP instance resides.

      Currently, three regions exist:

    4. Event types:

      The default value of Event Types is ALL.

       User can provide multiple Event Type IDs with comma:


      For more information on specific Event type IDs, see https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv0%2Fevent_types&api_host=api.amp.cisco.com&api_resource=Event+Type&api_version=v0.

    The configuration has been saved and the service has been started successfully.

  4. Check the status of the service:

    CODE 
    ./lrctl ciscoampbeat status

Default Config Values for CiscoAMPBeat:

S. No.

Field Name

Default Value

1.HeartbeatInterval60s 
2.HeartbeatDisabledfalse
3.Period4s
4.apiKeyUser provides this value.
5.clientIDUser provides this value.
6.eventTypesUser provides this value. (Default: All)
7.

limit

250
8.numbackdaysDataAuditLogs7
9.numbackdaysData7
10.uriAddressUser provides this value.
11.versionv1
12.throttlingIntervalSecs60 seconds
To avoid throttling issues (429 error for too many requests), do not set the Period parameter below 4 seconds.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close