topic Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs? in All Apps and Add-ons

Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

kiran331 — Fri, 16 Sep 2016 21:21:38 GMT

What configurations are to be made on the Defense Center and on Cisco eStreamer for Splunk in order to get the IDS/IPS events only? Right now we are getting a huge amount of RNA logs in Splunk. We have enabled Log flows, Log packets in the application, and on the Defense Center everything is enabled. What changes do I have to make to avoid huge amount of logs?

Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

ddrillic — Sun, 18 Sep 2016 20:10:39 GMT

good discussion about the subject at Cisco eStreamer for Splunk: How to configure inputs.conf to release monitor file when no more data is being added?

Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

douglashurd — Tue, 20 Sep 2016 15:16:35 GMT

I cannot see the important parts of the estreamer configuration page due to how the screen grab is cropped. By checking the event types you make them available to a requesting client like the Cisco eStreamer App for Splunk.

Uncheck them and the events will not be forwarded.

On the actual eStreamer configuration options page on the Splunk console there is a box you can enable or disable to eliminate flow logs as well.

In the Overview Tab on this page: https://splunkbase.splunk.com/app/1629/ you can see the option.

Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

kiran331 — Tue, 20 Sep 2016 15:39:50 GMT

HI Douglashurd,

What boxes i have to check on Splunk app if i have to see only IDS/IPS events but not RNS events?

Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

douglashurd — Tue, 20 Sep 2016 15:44:34 GMT

Just the Intrusion Events. I'd recommend you also check Impact Flag, Intrusion Extra data and Intrusion Event Packet Data if you want the packet payload. Leave everything else unchecked.

Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

kiran331 — Wed, 21 Sep 2016 17:41:45 GMT

Thanks douglashurd, Do i have to check log flows on the splunk estreamer?

Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

douglashurd — Wed, 21 Sep 2016 18:21:50 GMT

The flow on/off switch in the Splunk configuration page will only allow flow data to be sent to the Splunk platform if Connection Events (we used to call them RNA flow events) are enabled at the Firepower Management Center eStreamer configuration page other wise they won't be available to splunk.