Cisco Secure Network Analytics

Customer Success Metrics Configuration Guide 7.5.3

An image showing a modern data center with rows of server racks and cabinets, featuring a central aisle and closed white cabinets.

Overview

Customer Success Metrics enables Cisco Secure Network Analytics (formerly Stealthwatch) data to be sent to the cloud so that Cisco can access vital information regarding the deployment, health, performance, and usage of your system.

Enabled: Customer Success Metrics is automatically enabled on your Secure Network Analytics appliances.
Internet Access: Internet access is required for Customer Success Metrics.
Cisco Security Service Exchange: Cisco Security Service Exchange is enabled automatically in v7.5.x and is required for Customer Success Metrics.
Data Files: Secure Network Analytics generates a JSON file with the metrics data. The data is deleted from the appliance immediately after it is sent to the cloud.

This guide includes the following information:

Configuring the Firewall: Configure your network firewall to allow communication from your appliances to the cloud. Refer to Configuring the Network Firewall.
Disabling Customer Success Metrics: To opt out of Customer Success Metrics, refer to Disabling Customer Success Metrics.
Customer Success Metrics: For details about the metrics, refer to Customer Success Metrics Data.

For information on data retention and how to request deletion of usage metrics collected by Cisco, refer to Cisco Secure Network Analytics Privacy Data Sheet.

For assistance, please contact Cisco Support.

Configuring the Network Firewall

To allow communication from your appliances to the cloud, configure your network firewall on your Cisco Secure Network Analytics Manager (formerly Stealthwatch Management Console).

Note: Make sure your appliances have Internet access.

Configuring the Manager

Configure your network firewall to allow communication from your Managers to the following IP addresses and port 443:

api-sse.cisco.com
est.sco.cisco.com
mx*.sse.itd.cisco.com
dex.sse.itd.cisco.com
eventing-ingest.sse.itd.cisco.com

Note: If public DNS is not allowed, make sure you configure the resolution locally on your Managers.

Disabling Customer Success Metrics

Use the following instructions to disable Customer Success Metrics on an appliance.

Log in to your Manager.
Select Configure > Global > Central Management.
Click the [...] (Ellipsis) icon for the appliance. Choose Edit Appliance Configuration.
Click the General tab.
Scroll to the External Services section.
Uncheck the Enable Customer Success Metrics check box.
Click Apply Settings.
Follow the on-screen prompts to save your changes.
On the Central Management Inventory tab, confirm the Appliance Status returns to Connected.
To disable Customer Success Metrics on another appliance, repeat steps 3 through 9.

Customer Success Metrics Data

When Customer Success Metrics is enabled, the metrics are collected in the system and uploaded every 24 hours to the cloud. The data is deleted from the appliance immediately after it is sent to the cloud.

Cisco does not collect identification data such as host groups, IP addresses, user names, or passwords.

For information on data retention and how to request deletion of usage metrics collected by Cisco, refer to Cisco Secure Network Analytics Privacy Data Sheet.

Collection Types

Each metric is collected as one of the following collection types:

App Start: One entry every 1 minute (collects all the data since the application started).
Cumulative: One entry for a 24-hour period
Interval: One entry every 5 minutes (total of 288 entries per 24-hour period)
Snapshot: One entry for the point in time the report is generated

Some of the collection types are collected at different frequencies than the defaults described here, or they may be configured (depending on the application). Refer to Metrics Details for more information.

Metrics Details

The collected data is listed by appliance type. Use Ctrl + F to search the tables by keyword.

Flow Collector

Metric Identification	Description	Collection Type
devices_cache.active	Number of active MAC addresses from ISE in the devices cache.	Snapshot
devices_cache.deleted	Number of deleted MAC addresses from ISE in the devices cache because they have timed out.	Cumulative
devices_cache.dropped	Number of dropped MAC addresses from ISE because the devices cache is full.	Cumulative
devices_cache.new	Number of new MAC addresses from ISE added into the devices cache.	Cumulative
flow_stats.fps	Outbound flows per second in the last minute.	Interval
flow_stats.flows	Inbound flows processed.	Interval
flow_cache.active	Number of active flows in the Flow Collector flow cache.	Snapshot
flow_cache.dropped	Number of flows dropped because the Flow Collector flow cache is full.	Cumulative
flow_cache.ended	Number of flows ended in the Flow Collector flow cache.	Interval
flow_cache.max	Maximum size of the Flow Collector flow cache.	Interval
flow_cache.percentage	Percent of capacity of the Flow Collector flow cache	Interval
flow_cache.started	Number of flows added to the Flow Collector flow cache.	Cumulative
hosts_cache.cached	Number of hosts in the host cache.	Interval

Metric Identification	Description	Collection Type
hosts_cache.deleted	Number of hosts deleted in the host cache.	Cumulative
hosts_cache.dropped	Number of hosts dropped because the host cache is full.	Cumulative
hosts_cache.max	Maximum size of the host cache.	Interval
hosts_cache.new	Number of new hosts added into the host cache.	Cumulative
hosts_cache.percentage	Percent of capacity of the host cache.	Interval
hosts_cache.probationary_deleted	Number of probationary hosts* deleted in the hosts cache. *Probationary hosts are hosts that have never been the source of packets and bytes. These hosts are deleted first when clearing up space in the host cache.	Cumulative
interfaces.fps	Outbound number of interface statistics per second exported to Vertica.	Interval
security_events_cache.active	Number of active security events in the security events cache.	Snapshot
security_events_cache.dropped	Number of security events dropped because the security events cache is full.	Cumulative
security_events_cache.ended	Number of ended security events in the security events cache.	Cumulative
security_events_cache.inserted	Number of security events inserted into the database table.	Interval
security_events_cache.max	Maximum size of the security events cache.	Interval

Metric Identification	Description	Collection Type
security_events_cache.percentage	Percent of capacity of the security events cache.	Interval
security_events_cache.started	Number of started security events in the security events cache.	Cumulative
session_cache.active	Number of active sessions from ISE in the session cache.	Snapshot
session_cache.deleted	Number of deleted sessions from ISE in the session cache.	Cumulative
session_cache.dropped	Number of sessions from ISE dropped because the sessions cache is full.	Cumulative
session_cache.new	Number of new sessions from ISE added into the session cache.	Cumulative
users_cache.active	Number of active users in the users cache.	Snapshot
users_cache.deleted	Number of deleted users in the users cache because they have timed out.	Cumulative
users_cache.dropped	Number of users dropped because the users cache is full.	Cumulative
users_cache.new	Number of new users in the users cache.	Cumulative
reset_hour	Flow Collector reset hour.	N/A
vertica_stats.query_duration_sec_max	Maximum query response time.	Cumulative
vertica_stats.query_duration_sec_min	Minimum query response time.	Cumulative
vertica_stats.query_duration_sec_avg	Average query response time.	Cumulative

Flow Collector StatsD

Metric Identification	Description	Collection Type
exporters.fc_count	Number of exporters per Flow Collector.	Interval
ndr-agent.unprocessable_finding	Number of NDR findings deemed unprocessable.	Cumulative cleared daily
ndr-agent.ownership_registration_failed	Technical detail: Number of certain kind of errors that happened during NDR finding processing.	Cumulative cleared daily
ndr-agent.upload_success	Number of NDR findings successfully processed by the agent.	Cumulative cleared daily
ndr-agent.upload_failure	Number of NDR findings unsuccessfully uploaded by the agent.	Cumulative cleared daily
ndr-agent.processing_failure	Number of failures observed during NDR processing.	Cumulative cleared daily
ndr-agent.processing_success	Number of successfully processed NDR findings.	Cumulative cleared daily
ndr-agent.old_file_delete	Number of files deleted due to being too old.	Cumulative cleared daily
ndr-agent.old_registration_delete	Number of ownership registrations revoked due to being too old.	Cumulative cleared daily

Metric Identification	Description	Collection Type
netflow	Total NetFlow records from all Netflow exporters. Includes NVM records.	Cumulative cleared daily
fs_netflow	Netflow records received from Flow Sensors only.	Cumulative cleared daily
netflow_bytes	Total NetFlow bytes received from any NetFlow exporter. Includes NVM records.	Cumulative cleared daily
fs_netflow_bytes	NetFlow bytes received from Flow Sensors only.	Cumulative cleared daily
sflow	sFlow records received from any sFlow exporter.	Cumulative cleared daily
sflow_bytes	sFlow bytes received from any sFlow exporter.	Cumulative cleared daily
nvm_endpoint	Unique NVM endpoints seen today (before daily reset).	Cumulative cleared daily
nvm_bytes	NVM bytes received (including flow, endpoint, and endpoint_interface records).	Cumulative cleared daily
nvm_netflow	NVM bytes received (including flow, endpoint, and endpoint_interface records).	Cumulative cleared daily
all_sal_event	All Security Analytics and Logging (OnPrem) events received (including Adaptive Security Appliance and non-Adaptive Security Appliance), counted by number of events received.	Cumulative cleared daily
all_sal_bytes	All Security Analytics and Logging (OnPrem)	Cumulative cleared daily

Metric Identification	Description	Collection Type
ftd_sal_event	Security Analytics and Logging (OnPrem) (non-Adaptive Security Appliance) events received from Firepower Threat Defense/NGIPS devices only.	Cumulative cleared daily
ftd_sal_bytes	Security Analytics and Logging (OnPrem) (non-Adaptive Security Appliance) bytes received from Firepower Threat Defense/NGIPS devices only.	Cumulative cleared daily
ftd_lina_bytes	Data Plane bytes received from Firepower Threat Defense devices only.	Cumulative cleared daily
ftd_lina_event	Data Plane events received from Firepower Threat Defense devices only.	Cumulative cleared daily
asa_asa_event	Adaptive Security Appliance events received from Adaptive Security Appliance devices only.	Cumulative cleared daily
asa_asa_bytes	ASA bytes received from Adaptive Security Appliance devices only.	Cumulative cleared daily

Manager

Metric Identification	Description	Collection Type
exporter_cleaner_cleaning_enabled	Indicates whether the Inactive Interfaces and Exporters Cleaner is enabled.	Snapshot
exporter_cleaner_inactive_threshold	Number of hours an exporter can be inactive before it is removed.	Snapshot
exporter_cleaner_using_legacy_cleaner	Indicates whether the Cleaner should use the legacy cleaning functionality.	Snapshot
exporter_cleaner_hours_after_reset	Number of hours after reset that a domain should be cleaned.	Snapshot
exporter_cleaner_interface_without_status_presumed_stale	Indicates whether the Cleaner removes interfaces that were unknown to a Flow Collector at the last reset hour, treating them as inactive.	Snapshot
ndrcoordinator.files_uploaded	Indicates whether Secure Network Analytics deployment works as Data Store.	Snapshot
report_complete	Name of the report and the run-time in milliseconds (Manager only).	N/A
report_params	Filters used when the Manager queries the Flow Collector databases. Data exported per query: maximum number of rows include-interface-data flag fast-query flag exclude-counts flag flows direction filters order-by column default-columns flag Time window start date and time Time window end date and time Number of device ids criteria Number of interface ids criteria	Snapshot Frequency: Per Request
domain.integration_ad_count	Number of AD connections.	Cumulative
domain.rpe_count	Number of role policies configured.	Cumulative
domain.hg_changes_count	Changes to the Host Group configuration.	Cumulative

Manager StatsD

Metric Identification	Description	Collection Type
ndrcoordinator.analytics_enabled	Marks whether Analytics is enabled. 1 if yes, 0 if no.	Snapshot
ndrcoordinator.agents_contacted	Number of NDR agents contacted during the last contact.	Snapshot
ndrcoordinator.processing_errors	Number of errors during NDR finding processing.	Cumulative
ndrcoordinator.files_uploaded	Number of NDR findings uploaded for processing.	Cumulative
ndrevents.processing_errors	Number of files failed to process because the system did not deliver the finding or could not parse the request.	Cumulative
ndrevents.files_uploaded	Number of files that were sent to NDR events for processing.	Cumulative
sna_swing_client_alive	Internal counter of API calls used by SNA Manager Desktop client.	Snapshot
swrm_is_in_use	Response Management: Value is 1 if Response Management is used. Value is 0 if it is not used.	Snapshot
swrm_rules	Response Management: Number of custom rules.	Snapshot
swrm_action_email	Response Management: Number of custom actions of Email type.	Snapshot
swrm_action_syslog_message	Response Management: Number of custom actions of Syslog Message type.	Snapshot
swrm_action_snmp_trap	Response Management: Number of custom actions of SNMP Trap type.	Snapshot
swrm_action_ise_anc	Response management: Number of custom actions of ISE ANC Policy type.	Snapshot
swrm_action_webhook	Response Management: Number of custom actions of Webhook type.	Snapshot
swrm_action_ctr	Response Management: Number of custom actions of threat response Incident type.	Snapshot

Metric Identification	Description	Collection Type
va_ct	Visibility Assessment: Calculated run-time in milliseconds.	Snapshot
va_ce	Visibility Assessment: Number of errors (when calculation crashes).	Snapshot
va_hcs	Visibility Assessment: Host count API response size in bytes (detect excessive response size).	Snapshot
va_ss	Visibility Assessment: Scanners API response size in bytes (detect excessive response size).	Snapshot
va_ses	Visibility Assessment: Security Events API response size in bytes (detect excessive response size).	Snapshot
sal_input_size	Number of entries in the pipeline input queue.	Snapshot Frequency: 1 minute
sal_completed_size	Number of entries in the completed batch queue.	Snapshot Frequency: 1 minute
sal_flush_time	Amount of time in milliseconds since the last pipeline flush. Available with Security Analytics and Logging (OnPrem) Single-node only.	Snapshot Frequency: 1 minute
sal_batches_succeeded	Number of batches successfully written to the file. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_batches_processed	Number of batches that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_batches_failed	Number of batches that have failed to complete writing to the file. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_files_moved	Number of files moved to the ready directory. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_files_failed	Number of files that have failed to be moved. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_files_discarded	Number of files discarded due to error. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_rows_written	Number of rows written to the referenced file. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_rows_processed	Number of rows that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_rows_failed	Number of rows that failed to be written. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute

Metric Identification	Description	Collection Type
sal_total_batches_succeeded	Total number of batches successfully written to the file. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_batches_processed	Total number of batches that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_batches_failed	Total number of files that have failed to complete writing to the file. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_files_moved	Total number of files moved to the ready directory. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_files_failed	Total number of files that have failed to be moved. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_files_discarded	Total number of files discarded due to error. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_rows_written	Total number of rows written to the referenced file. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_rows_processed	Total number of rows that were processed. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_total_rows_failed	Total number of rows that failed to be written. Available with Security Analytics and Logging (OnPrem) Single-node only.	App Start Frequency: 1 minute
sal_transformer_<transformer id>	Number of transformation errors in this transformer. Available with Security Analytics and Logging (OnPrem) Single-node only.	Interval Frequency: 1 minute
sal_bytes_per_event	Average number of bytes per event received.	Interval Frequency: 1 minute
sal_bytes_received	Number of bytes received from the UDP server.	Interval Frequency: 1 minute
sal_events_received	Number of events received from the UDP server.	Interval Frequency: 1 minute
sal_total_events_received	Total number of events received by the router.	App Start
sal_events_dropped	Number of unparsable events dropped.	Interval Frequency: 1 minute
sal_total_events_dropped	Total number of unparsable events dropped.	App Start Frequency: 1 minute
sal_events_ignored	Number of ignored/unsupported events.	Interval Frequency: 1 minute
sal_total_events_ignored	Total number of ignored/unsupported events.	App Start Frequency: 1 minute
sal_receive_queue_size	Number of events in the receive queue.	Snapshot Frequency: 1 minute
sal_events_per_second	Ingest rate (events per second).	Interval Frequency: 1 minute
sal_bytes_per_second	Ingest rate (bytes per second).	Interval Frequency: 1 minute
sna_trustsec_report_runs	Number of daily TrustSec report requests.	Cumulative

UDP Director

Metric Identification	Description	Collection Type
sources_count	Number of sources.	Snapshot
rules_count	Number of rules.	Snapshot
packets_unmatched	Maximum unmatched packets.	Snapshot
packets_dropped	Dropped packets eth0.	Snapshot

All Appliances

Metric Identification	Description	Collection Type
platform	Hardware platform (ex: Dell 13G, KVM Virtual Platform).	N/A
serial	Serial number of the appliance.	N/A
version	Secure Network Analytics version number (ex: 7.1.0).	N/A
version_build	Build number (ex: 2018.07.16.2249-0).	N/A
version_patch	Patch number.	N/A
csm_version	Customer Success Metrics code version (ex: 1.0.24-SNAPSHOT).	N/A
power_supply.status	Manager and Flow Collector power supply statistics.	Snapshot
productInstanceName	Smart Licensing product identifier.	N/A

Contacting Support

If you need technical support, please do one of the following:

Contact your local Cisco Partner
Contact Cisco Support
To open a case by web: https://www.cisco.com/c/en/us/support/index.html
For phone support: 1-800-553-2447 (U.S.)
For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Change History

Document Version	Published Date	Description
1_0	August 18, 2025	Initial Version.

Copyright Information

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

	Cisco Secure Network Analytics System Configuration Guide 7.5.3 A comprehensive guide for configuring Cisco Secure Network Analytics (formerly Stealthwatch) version 7.5.3. This document details the setup and management of various appliances, including Managers, Data Nodes, Flow Collectors, Flow Sensors, and UDP Directors, to establish a secure and visible network environment.
	Cisco Secure Network Analytics SSL/TLS Certificates Guide v7.5.3 A comprehensive guide for managing SSL/TLS certificates on Cisco Secure Network Analytics appliances version 7.5.3, covering installation, replacement, and troubleshooting for enhanced network security.
	Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.5.2 This guide provides detailed instructions for installing Cisco Secure Network Analytics Virtual Edition appliances, including Manager, Data Store, Flow Collector, Flow Sensor, and UDP Director. It covers system requirements, deployment considerations, and configuration steps for network administrators across VMware, KVM, and Nutanix AHV environments.
	Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.5.3 This guide provides detailed instructions for installing Cisco Secure Network Analytics Virtual Edition appliances, including the Manager, Data Store, Flow Collector, Flow Sensor, and UDP Director. It covers system requirements, installation methods for VMware, KVM, and Nutanix AHV, and configuration steps for optimal network traffic analysis and security.
	Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.5.3 Comprehensive guide for installing Cisco Secure Network Analytics Virtual Edition appliances, covering Manager, Data Store, Flow Collector, Flow Sensor, and UDP Director components. Details deployment requirements, compatibility, resource allocation, and installation procedures for VMware, KVM, and Nutanix AHV environments.
	Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.5.2 Comprehensive installation guide for Cisco Secure Network Analytics Virtual Edition appliances (Manager, Data Store, Flow Collector, Flow Sensor, UDP Director) across VMware, KVM, and Nutanix AHV platforms. Covers prerequisites, deployment methods, and configuration steps.
	Cisco Secure Network Analytics Update Guide v7.5.3 Comprehensive guide for updating Cisco Secure Network Analytics (formerly Stealthwatch) appliances to version 7.5.3. Covers prerequisites, download procedures, backup, installation, and troubleshooting for network administrators.
	Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.4.2 This guide details the installation of Cisco Secure Network Analytics Virtual Edition appliances (Manager, Data Store, Flow Collector, Flow Sensor, UDP Director) version 7.4.2. It covers deployment on VMware and KVM, resource requirements, firewall configurations, and system setup.