Managing Threat Defense Events and Analytics
The events and analytics management can be retained in the on-prem management center or transferred to CDO, where the devices must be configured to send events to CDO. While initiating the migration process, you are allowed to choose the manager to which the device events must be sent for analytics.
Attention | If you are migrating devices from on-prem management center 1000/2500/4500, it is not possible to use the on-prem management center for managing events due to limited availability. Therefore, you must use Security Analytics and Logging (OnPrem) or Security Analytics and Logging (SAAS) for devices to send events for analytics. See Cisco Security Analytics and Logging. |
If you select the on-prem management center for analytics, CDO becomes the manager for selected devices but retains a copy of those devices on the on-prem management center in analytics-only mode. The devices continue to send events to the on-prem management center, and CDO manages the configuration changes.
If you select CDO for analytics, CDO becomes the manager for the selected devices and deletes these devices from the on-prem management center. CDO manages both configuration changes and events and analytics management. You must configure threat defense devices to send events to the Cisco cloud. You can use either Security Services Exchange or the Secure Event Connector (SEC) to send events from the devices to the Cisco Secure Analytics and Logging (SAL) in the cloud.
eStreamer Server Streaming
When you manage a threat defense device with cloud-delivered Firewall Management Center, the device supports sending only fully-qualified events (FQE) to eStreamer clients. If you have configured eStreamer clients in the on-prem management center, ensure that the clients support the detailed data formats used by FQE when you migrate the device management to cloud-delivered Firewall Management Center. Any legacy clients, security information and event management (SIEM) systems, or log management solutions that do not support the data format of FQE or lack the necessary storage to handle the larger volume of FQE data will not work when you migrate.