--- title: Cisco Secure Client description: Gain insights into Cisco Secure Client logs. breadcrumbs: Docs > Integrations > Cisco Secure Client --- # Cisco Secure Client Supported OS Integration version1.0.0 Cisco Secure Client OverviewCisco Secure Client OverviewCisco Secure Client VPN Connection InsightsCisco Secure Client VPN Connection InsightsCisco Secure Client VPN Connection InsightsCisco Secure Client VPN Connection Insights ## Overview{% #overview %} [Cisco Secure Client](https://www.cisco.com/site/in/en/products/security/secure-client/index.html) (formerly AnyConnect) provides secure, encrypted VPN access for users connecting to internal resources. It ensures reliable remote connectivity, and handles sessions, licensing, and client version compatibility to maintain consistent security across multiple devices. Integrate Cisco Secure Client with Datadog to gain insights into AnyConnect logs using pre-built dashboard visualizations. Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. The integration can also be used for Cloud SIEM detection rules for enhanced monitoring and security. **Minimum Agent version:** 7.77.0 **Disclaimer**: Your use of this integration, which may collect data that includes personal information, is subject to your agreements with Datadog. Cisco is not responsible for the privacy, security or integrity of any end-user information, including personal data, transmitted through your use of the integration. ## Setup{% #setup %} ### Configuration{% #configuration %} #### Enable log collection{% #enable-log-collection %} 1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file with: ```yaml logs_enabled: true ``` 1. Add the following configuration block to your `cisco_secure_client.d/conf.yaml` file to start collecting your Cisco Secure Client logs: ```yaml logs: - type: tcp # or udp port: service: cisco-secure-client source: cisco-secure-client log_processing_rules: - type: include_at_match name: include_anyconnect_logs pattern: .*(AnyConnect|anyconnect|113038|113039|734001|751025|722053|722054).* ``` See the sample [`cisco_secure_client.d/conf.yaml`](https://github.com/DataDog/integrations-core/blob/master/cisco_secure_client/datadog_checks/cisco_secure_client/data/conf.yaml.example) for available configuration options. **Note**: Do not change the `source` and `service` values, as these parameters are integral to the pipeline's operation. 1. [Restart the Agent](https://docs.datadoghq.com/agent/configuration/agent-commands/#start-stop-and-restart-the-agent). **Note**: To forward Cisco Secure Client logs, you must configure syslog on the Cisco firewall platform that you're using with Cisco Secure Client (FTD, Meraki, or ASA; see below for instructions for each platform). #### Configure Syslog on Cisco FTD Firewall using FMC{% #configure-syslog-on-cisco-ftd-firewall-using-fmc %} 1. Connect to the Cisco Firewall Management Center (FMC) platform. 1. Select **Devices** > **Platform Settings** and create or edit an FTD policy. 1. Select **Syslog** > **Logging Setup**. 1. Check the **Enable Logging** checkbox. 1. Click **Save**. 1. Select **Syslog** > **Syslog Settings**. 1. Check the **Enable Timestamp on Syslog Messages** checkbox. 1. Select **RFC 5424 (yyyy-MM-ddTHH:mm:ssZ)** from the Timestamp Format dropdown list. 1. Click **Save**. 1. Select **Syslog** > **Syslog Server**. 1. Check the **Allow user traffic to pass when TCP syslog server is down** checkbox. 1. Click **Add** to add a new syslog server: - **IP Address**: In the dropdown menu, select a network object that contains the IP address of the syslog server. If a network object is not created, click on the **plus (+)** to create a new network object. - **Protocol**: Click on either TCP or UDP protocol for syslog communication. - **Port**: Enter the port number on which the Datadog Agent is listening. - **Available Zones**: From the **Available Zones** list, click on the interface or zone where the syslog server is reachable, then click **Add** to move it to the **Selected Zones/Interfaces** column. 1. Click **OK**, then click **Save**. 1. Go to **Deploy** > **Deployment** and deploy the policy to assigned devices. The changes are not active until you deploy them. **Note**: The `Port` value should be similar to the port provided in the `Log Collection` section. #### Configure Syslog on Cisco Meraki Firewall{% #configure-syslog-on-cisco-meraki-firewall %} 1. Log in to Cisco Meraki. 1. Navigate to **Network-wide** > **Configure** > **General**. 1. Navigate to **Reporting** > **Syslog Servers**. 1. Click on **Add a syslog server**. 1. Set the following configuration parameters: - **Server Address**: IP address of the syslog server - **Port**: port on which the syslog server is listening - **Protocol**: select TCP or UDP from the dropdown - **Roles**: select **Appliance Event Log** from the dropdown 1. Click **Update syslog servers** to save the configuration. **Note**: The `Port` value should be similar to the port provided in the `Log Collection` section. #### Configure Syslog on Cisco ASA Firewall{% #configure-syslog-on-cisco-asa-firewall %} 1. Connect to the Cisco ASA CLI. 1. Enter the privileged EXEC mode by running the following; enter the password when prompted: ``` enable ``` 1. Enable global configuration mode: ``` configure terminal ``` 1. Enable logging: ``` logging enable ``` 1. Configure syslog log forwarding, replacing the placeholders with the relevant values: - ``: the interface that the syslog server is associated with - ``: the IP address of the syslog server - ``: the port where the syslog server is listening For UDP: ``` logging host udp/ ``` For TCP: ``` logging host tcp/ ``` 1. Set the logging level to debug: ``` logging trap debugging ``` 1. Enable rfc5424 timestamp format in syslog: ``` logging timestamp rfc5424 ``` **Note**: The `port` value should be similar to the port provided in the `Log Collection` section. ### Validation{% #validation %} [Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information) and look for `cisco_secure_client` under the Logs Agent section. ## Data Collected{% #data-collected %} ### Log Collection{% #log-collection %} The Cisco Secure Client integration collects AnyConnect logs. ### Metrics{% #metrics %} The Cisco Secure Client integration does not include any metrics. ### Events{% #events %} The Cisco Secure Client integration does not include any events. ## Troubleshooting{% #troubleshooting %} **Permission denied while port binding:** Binding to a port number under 1024 requires elevated permissions. If you see a **Permission denied** error while port binding in the Agent logs: 1. Grant access to the port using the `setcap` command: ```shell sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent ``` **Note**: Re-run this `setcap` command every time you upgrade the Agent. 1. Verify the setup is correct by running the `getcap` command: ```shell sudo getcap /opt/datadog-agent/bin/agent/agent ``` You should see the following output: ```shell /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep ``` 1. [Restart the Agent](https://docs.datadoghq.com/agent/configuration/agent-commands/#start-stop-and-restart-the-agent). **Data is not being collected:** Make sure that traffic is bypassed from the configured port if the firewall is enabled. **Port already in use:** On systems using syslog, if the Agent listens for logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. By default, syslog listens on port 514. To resolve this error, take **one** of the following steps: - Disable syslog, or - Configure the Agent to listen on a different, available port. Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).