Skip to main content
Skip table of contents

Cisco AMP Beat Collection

This document explains how to initialize the Cisco AMP Beat using the Web Console's cloud-to-cloud functionality. This feature is available only to LRCloud customers.

Prerequisites

Before initializing the Cisco AMP Beat, do the following:

  • Make sure that the customer is an LRCloud customer and has their environment hosted.
  • Check if the Open Collector has been installed in the customer's LRCloud environment on a separate instance. If not, an Open Collector instance must be requested via a support case. 
  • Ensure that the Open Collector log source has been accepted.
  • Check if you have the required keys: Cisco Client ID and API Key.

Apply the Log Source Virtualization Template  

  1. Log in to the Client Console in Cameyo.
  2. Click Deployment Manager from the toolbar.
  3. Click the Log Sources tab.
  4. Double-click the required Open Collector Log Source (such as, {instance}-opencollector.c.e3-hub-753dd405.internal Open Collector).
    The Log Message Source Properties window appears.
  5. Click the Log Source Virtualization tab. 
  6. If not checked, select the Enable Virtualization check box. 
  7. Click Create Virtual Log Sources.
    The Create Virtual Log Sources dialog box appears. 
  8. In the Virtual Log Sources menu, check the Action check box corresponding to "Syslog - Open Collector - Cisco AMP" and "Syslog - Open Collector - CiscoAMPBeat Heartbeat" log source types.
  9. Click  Save.
    The Virtual Log Source(s) created prompt appears.
  10. Click Ok.
  11. Click Apply. 
  12. Click Ok.
    The new Log Sources will appear in the grid as children of your parent log source.
  13. Click the System Monitors tab. 
  14. Select the Action check box corresponding to the (customerid)-dpawc agent. 
  15. Right-click the selection, click Actions and then click Service Restart. 

Initialize the Beat

  1. Log in to the Web Console as a Restricted Administrator User.
  2. On the top navigation bar, click the Administration icon 
     and select Cloud Log Collection.
  3. At the top of the Cloud Log Collection page, click New Log Source.
    The New cloud log collection dialog box appears.
  4. Select the Azure Event Hub - Open Collector tile.
    The Add CiscoAMP Beat Log Source window appears.
  5. Enter the following details:

    Setting

    Default Value

    Description

    NameNot ApplicableEnter the name for this log source.
    Description (Optional)Not ApplicableEnter a description for this log source.
    Client IDNot ApplicableEnter the Cisco AMP EndPoint Client ID (for example, ab1234c123de123a45678a).
    API KeyNot ApplicableEnter the Cisco AMP EndPoint API Key (for example, ab1234ab-12ab-12ab-ab12-123456abcdef).
    URI Address

    Not Applicable

    Enter the Cisco AMP EndPoint URI address for the preferred region. API is location based and varies depending on where your AMP instance resides. Currently, three regions exist:

    Region

    Address

    U.S. api.amp.cisco.com
    Asia, Pacific, Japan, and Chinaapi.apjc.amp.cisco.com
    Europe api.eu.amp.cisco.com
    Event TypesAll

    List the Event log file types that the Open Collector should collect. To collect from all Event Log Types, use the value "ALL". Otherwise, specify each value separated by a comma (,) without spaces. For example: 554696715,1091567628,553648130.

    For more information on specific Event type IDs, see https://api-docs.amp.cisco.com/api_actions/details?

  6. Click Save.

  7. Log in to the Client Console in Cameyo.
  8. Click Deployment Manager from the toolbar.
  9. Click the System Monitors tab. 
  10. Select the Action check box corresponding to the dpwac agent.
  11. Right-click the selection, click Actions and then click Service Restart.

A new log source is created with the provided information based on the virtualized log source that was already created. Collection should start automatically in few minutes.

The Open Collector hosts the log sources. It is recommended to create a new host entity and move the log source to the new host which is done in the log source properties screen and not from the log source grid.

For security, the values entered are encrypted using LRCrypt.

Default Config Values for CiscoAMPBeat

Setting

Field Name

Default Value

1HeartbeatInterval60s 
2HeartbeatDisabledfalse
3Period4s
4

limit

250
5numbackdaysDataAuditLogs7
6numbackdaysData7
7versionv1
8throttlingIntervalSecs60 seconds



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.