Managing Threat Defense Events and Analytics

The events and analytics management can be retained in the on-premises management center or transferred to Security Cloud Control, where the devices must be configured to send events to Security Cloud Control. While initiating the migration process, you are allowed to choose the manager to which the device events must be sent for analytics.

Attention

If you are migrating devices from on-premises management center 1000/2500/4500, it is not possible to use the on-premises management center for managing events due to limited availability. Therefore, you must use Security Analytics and Logging (OnPrem) or Security Analytics and Logging (SAAS) for devices to send events for analytics. See Cisco Security Analytics and Logging.

If you select the on-premises management center for analytics, Security Cloud Control becomes the manager for selected devices but retains a copy of those devices on the on-premises management center in analytics-only mode. The devices continue to send events to the on-premises management center, and Security Cloud Control manages the configuration changes.

If you select Security Cloud Control for analytics, Security Cloud Control becomes the manager for the selected devices and deletes these devices from the on-premises management center. Security Cloud Control manages both configuration changes and events and analytics management. You must configure threat defense devices to send events to the Cisco cloud. You can use either Security Services Exchange or the Secure Event Connector (SEC) to send events from the devices to the Cisco Secure Analytics and Logging (SAL) in the cloud.

eStreamer Server Streaming

When you manage a threat defense device with cloud-delivered Firewall Management Center, the device supports sending only fully-qualified events (FQE) to eStreamer clients. If you have configured eStreamer clients in the on-prem management center, ensure that the clients support the detailed data formats used by FQE when you migrate the device management to cloud-delivered Firewall Management Center. Any legacy clients, security information and event management (SIEM) systems, or log management solutions that do not support the data format of FQE or lack the necessary storage to handle the larger volume of FQE data will not work when you migrate.