Manage Logging

Secure Access allows for the logging of events and traffic. You can configure Secure Access to save these logs to either the United States or Europe. Logs can be saved to your own or a Cisco Managed S3 bucket.

Only event data is stored in a data warehouse. This is any data that might appear in a Secure Access report. Configuration data, such as audit logs and policy settings, remain stored by Cisco in California regardless of a change to the data warehouse's location.

Secure Access logs are CSV-formatted, compressed (gzip), and saved every 10 minutes. For more information, see Log Formats and Versioning.

• Note for Experience Insights customers: The process for managing ThousandEyes logs is different than the process for managing Secure Access logs. When you deploy the ThousandEyes agent, your account (that includes your logs) is provisioned by default to the data center in the United States. To move your account to the data center in Europe, contact [email protected].

Table of Contents

• Where are Logs Stored?
  • Logging to the Secure Access Data Warehouse
  • Logging to Amazon S3
  • Advantages and Disadvantages to Configuring a Cisco-Managed Bucket

Where are Logs Stored?

When you create a policy, activity logs are by default saved to the North America – California, US location of the Secure Access data warehouse. You can change the location of the data warehouse to Europe at any time. For more information, see Change the Location of Event Data Logs.

You can also optionally configure logging so that logs are also stored to an Amazon S3 bucket—either your own or one managed by Cisco.

Logging to the Secure Access Data Warehouse

The Secure Access data warehouse is the virtual location where your instance of Secure Access stores its event data logs. By default, Secure Access saves your event data logs to Cisco's California location; however, you can change the location of the data warehouse from North America to Europe at any time. For more information, see Change the Location of Event Data Logs.

Logging to Amazon S3

As well as storing logs to one of its data warehouses, Secure Access can store logs to an Amazon S3 bucket.

By having your logs uploaded to an S3 bucket, you can then automatically download logs so that you can keep them in perpetuity in backup storage outside of the Secure Access data warehouse storage system. Saving to an S3 bucket also gives you the ability to ingest logs through your SIEM or another security tool. This can help you determine if any security events in your Secure Access logs coincide with events in other security tools.

Secure Access Amazon S3 options:

• A self-managed bucket—You own the Amazon S3 bucket, including its configuration and management.
• A Cisco-managed bucket—Cisco Secure Access owns the bucket and sets the configuration and management of it.

Advantages and Disadvantages of Configuring a Cisco-Managed Bucket

• Easy to set up and manage.
• Included with your Secure Access license.
• You cannot add anything to your bucket besides log files from Secure Access and the bucket cannot be used by another application.
• Some SIEM integration types (such as QRadar) may require advanced privileges for the user accessing the S3 bucket (beyond the basic Read permissions) and as such, may not work with this feature.
• You cannot get support from Amazon directly for advanced configuration assistance, such as automation or help with the command line.
• Data can only be stored offline for a maximum of 30 days.

Export Admin Audit Log to an S3 Bucket < Manage Your Logs > Enable Logging