As of the November 2020 release (OC2020.11), we are supporting log collection for Cisco AMP audit logs. To start collecting Cisco AMP audit logs, update your existing beat. You do not need to provide any extra inputs.
Prerequisites
-
The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
-
You have the required keys: Cisco Client ID and API Key.
-
The following port is open:
Direction
Port
Protocol
Source
Outbound
443
HTTPS
ciscoampbeat
Initialize the Beat via the Web Console (Recommended)
-
Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.
-
Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.
Initialize the Beat via Command Line (Legacy)
-
Confirm the Open Collector is running:
./lrctl statusYou should see the open_collector and metrics.
If the Open Collector is not running correctly, see the
Troubleshoot the Open Collectortopic in the Open Collector Installation and User Guide.
-
Start the beat:
./lrctl ciscoampbeat start -
Enter the following details:
The Cisco AMP Client ID and API key are saved in encrypted format.
-
Cisco AMP Client ID.
-
Cisco AMP API Key.
-
URL Address for preferred region:.
It’s important to note that the API is location-based and varies depending on where your AMP instance resides.
Currently, three regions exist:
-
U.S.: api.amp.cisco.com
-
Asia, Pacific, Japan & China: api.apjc.amp.cisco.com
-
Europe: api.eu.amp.cisco.com
-
-
Event types.
The default value of Event Types is ALL.
User can provide multiple Event Type IDs with comma.
For more information on specific Event type IDs, see https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv0%2Fevent_types&api_host=api.amp.cisco.com&api_resource=Event+Type&api_version=v0.
The configuration has been saved and the service has been started successfully.
-
-
Check the status of the service:
./lrctl ciscoampbeat status
Default Config Values for CiscoAMPBeat:
|
S. No. |
Field Name |
Default Value |
|---|---|---|
|
1. |
HeartbeatInterval |
60s |
|
2. |
HeartbeatDisabled |
false |
|
3. |
Period |
4s |
|
4. |
apiKey |
User provides this value. |
|
5. |
clientID |
User provides this value. |
|
6. |
eventTypes |
User provides this value. (Default: All) |
|
7. |
limit |
250 |
|
8. |
numbackdaysDataAuditLogs |
7 |
|
9. |
numbackdaysData |
7 |
|
10. |
uriAddress |
User provides this value. |
|
11. |
version |
v1 |
|
12. |
throttlingIntervalSecs |
60 seconds |
To avoid throttling issues (429 error for too many requests), do not set the Period parameter below 4 seconds.