topic Re: Does Cisco eStreamer for Splunk support eStreamer 6? in All Apps and Add-ons

Does Cisco eStreamer for Splunk support eStreamer 6?

Olli1919 — Thu, 11 Feb 2016 17:11:57 GMT

Hello,

I have not yet found a reference to Splunk eStreamer 6 connectivity in the documentation or the net. Has anyone tested yet if the app allows to pull eStreamer v6? Is there a roadmap date when v6 will be supported?

Thanks and regards,
Oliver

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

sjaworski — Thu, 11 Feb 2016 18:14:35 GMT

My organization is successfully using estreamer Version 2.2.1, build 172 with Cisco/Sourcefire 6.0.0 (build 1005). As documented in the release notes, pulling connection events can be hours behind. We had the same delays with Cisco/Sourcefire 5.x. All other estreamer events are pulled in a timely fashion. I do not know if there is a roadmap for official v6 support. You can trying contacting the author of the app.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Thu, 11 Feb 2016 19:01:21 GMT

There is a plan to build a new app. Its at a very early stage right now. Some number of months but it is planned.

The current app will work with FireSIGHT 6 but the data set will be the same as with 5.4.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

Olli1919 — Fri, 12 Feb 2016 09:27:23 GMT

Thank you for your replies. It is good to see Cisco extends the functionality. Looking at the Integration side, ArcSight seems to have said that they do not support eStreamer in the future, as they want CEF. I am not surprised to see this development. I just hope that open interfaces remain as important for the players as they are for their customers.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Tue, 22 Mar 2016 16:02:05 GMT

To clarify. We built an eStreamer client that converts the binary output from the API's Server to text and into a CEF format. Arcsight is no longer building on their eStreamer client known as a 'Smart Connector'.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

JimGatMBCI — Mon, 09 May 2016 16:48:54 GMT

Does anyone know who we need to pressure to increase the priority of the new version. I lost detail of meaningful user ID's on the data stream from 5.X to 6.X SourceFire because cisco(SourceFire) changed the way the internal database deals with user ID's to allow for multiple user realms. all I see now in the stream is the numeric representation of what I assume is a unique identifier for the user in a one t many database.
I have taken it to my enterprise rep but have heard nothing. I also have a ticket in on the issue.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

JimGatMBCI — Mon, 09 May 2016 16:49:54 GMT

Are you seeing user ID's

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Mon, 15 Aug 2016 20:52:27 GMT

We have many customers running Firepower 6.0 with Splunk and the current Cisco eStreamer for Splunk App.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Mon, 15 Aug 2016 20:53:42 GMT

Arcsight has recently certified their Smart Connector to work with Firepower 5.4.x./ No new schema items supported but it does work with 5.4.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

rsolutions — Mon, 15 Aug 2016 21:43:23 GMT

I think the issue is the current app doesn't pull in all of the new fields that v6 has to offer.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Tue, 16 Aug 2016 14:35:14 GMT

That is correct. The app was built against the 5.4 API specification. New stuff in 6.0 won't be forwarded.

What fields are you looking for? Do you know?

Doug

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

rsolutions — Tue, 16 Aug 2016 14:37:44 GMT

I am working on a Splunk implementation for a large Telco... I'll ask, but I'm pretty sure the comment will be all fields as they have an extensive Splunk deployment.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Tue, 16 Aug 2016 14:44:49 GMT

OK good to know. If you can share any specifics or the country it would help me build the case for a new eStreamer app. I can be emailed directly here: dohurd@cisco.com I track this stuff.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

JimGatMBCI — Tue, 16 Aug 2016 15:08:04 GMT

I am looking for all fields as we use Splunk for our long term storage since the Defense Center (FireSight..) can only hold about a day of our data at best.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

jmartincot — Tue, 21 Feb 2017 18:51:36 GMT

We opened a ticket with Cisco and were pointed towards this bug entry: CSCuz95008

It appears to be that the Cisco eStreamer for Splunk App (currently v2.2.2) does not support the eStreamer user metadata format which was changed in 6.0. We are currently using Cisco FMC 6.1.0.1, Splunk 6.5.2 and eStreamer 2.2.2. As a result, our connection events reference a numerical value for the 'user' field instead of the actual username.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

mikaelbje — Fri, 17 Mar 2017 07:20:12 GMT

In case anyone else is looking for this, I can happily confirm that upgrading FMC and Firepower appliances to 6.2.0 resolves the issue with user IDs (CSCuz95008). We now have correct user IDs populated in the events.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

jmartincot — Fri, 17 Mar 2017 15:10:36 GMT

I was able to upgrade our Firepower Appliance to 6.1.0.3 and the issue was resolved.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Mon, 27 Mar 2017 11:50:49 GMT

A new Cisco eStreamer fro Splunk client/TA will be available in the end of April The current app does work with 6.x but there have been some reported issues.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

ChrisBell04 — Thu, 20 Jul 2017 22:10:48 GMT

@douglashurd
Looking for an update to both the eStreamer app and accompanying "Splunk Add-on for Cisco FireSIGHT" that's compatible with FMC 6.2.x. Since the field names have changed, the TA is no longer fully CIM compliant with the Intrusion Detection data model...which means info also is missing from Enterprise Security dashboards. This is just one of many possible examples.

Re: Does Cisco eStreamer for Splunk support eStreamer 6?

douglashurd — Wed, 02 Aug 2017 16:54:01 GMT

There is a new add on for Firepower 6.x customers available right now: https://splunkbase.splunk.com/app/3662/