Initialize the Cisco AMP Beat

As of the November 2020 release (OC2020.11), we are supporting log collection for Cisco AMP audit logs. To start collecting Cisco AMP audit logs, update your existing beat. You do not need to provide any extra inputs.

Prerequisites

  • The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.

  • You have the required keys: Cisco Client ID and API Key.

  • The following port is open:

    Direction

    Port

    Protocol

    Source

    Outbound

    443

    HTTPS

    ciscoampbeat

Initialize the Beat via the Web Console (Recommended)

  1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

  2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

  1. Start the beat:

    ./lrctl ciscoampbeat start
    
  2. Use the Up and Down Arrow keys to select New ciscoampbeat instance from the list, and then press Enter.

  3. Enter the unique identifier for this ciscoampbeat instance, and then press Enter.

  4. Enter the Cisco AMP Client ID, and then press Enter.

  5. Enter the Cisco AMP API Key, and then press Enter.

  6. Enter the URL Address for preferred region, and then press Enter:

    It’s important to note that the API is location-based and varies depending on where your AMP instance resides.

    Currently, three regions exist:

    1. U.S.: api.amp.cisco.com

    2. Asia, Pacific, Japan & China: api.apjc.amp.cisco.com

    3. Europe: api.eu.amp.cisco.com

  7. Enter Event types, and then press Enter.

    The default value of Event Types is ALL.

    User can provide multiple Event Type IDs with comma.
    For more information on specific Event type IDs, see https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv0%2Fevent_types&api_host=api.amp.cisco.com&api_resource=Event+Type&api_version=v0.

  8. Enter the hostname or IP address of the System Monitor Agent that has been Configured for JSON Parsing, and then press Enter.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Enter the port on which the System Monitor Agent is configured to listen for JSON data (the default is 5044), and then press Enter.
    The ciscoampbeat service started message appears.

  2. Check the status of the service to confirm that it’s running:

    ./lrctl ciscoampbeat status
    
  3. (Optional) Edit the ciscoampbeat configuration to update the values set above if needed. Ensure that you have all the needed information for each step available as you will need to re-enter it:

    ./lrctl ciscoampbeat config edit
    

Default Config Values for CiscoAMPBeat:

S. No.

Field Name

Default Value

1.

HeartbeatInterval

60s 

2.

HeartbeatDisabled

false

3.

Period

4s

4.

apiKey

User provides this value.

5.

clientID

User provides this value.

6.

eventTypes

User provides this value. (Default: All)

7.

limit

250

8.

numbackdaysDataAuditLogs

7

9.

numbackdaysData

7

10.

uriAddress

User provides this value.

11.

version

v1

12.

throttlingIntervalSecs

60 seconds

To avoid throttling issues (429 error for too many requests), do not set the Period parameter below 4 seconds.