All Apps and Add-ons

Cisco Firepower eStreamer eNcore Add-on for Splunk version 4 Install

_joe
Communicator

I know this version is still in beta, I personally had a lot of issues getting it to install properly. In case it would help someone else, I wanted to provide some notes I wrote up. 

Labels (1)
0 Karma

_joe
Communicator

You do not need to create a bookmark file. One reason you might want to would be to avoid ingesting old data.

0 Karma

_joe
Communicator

# Where "10.0.0.1" is the IP of your defense center

 

# Install the app through the UI and restart

# Missing steps:
# Edit the '/opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh' and '/opt/splunk/etc/apps/TA-eStreamer/bin/configure.sh' adding the environment variable.
# For most, that will just be uncommenting out "#SPLUNK_HOME=/opt/splunk"

# Make sure your cert is located here: /opt/splunk/etc/apps/TA-eStreamer/bin/encore/client.pkcs12

# Instructions:
# TLS communication with the FMC, running the start up script, $SPLUNK_HOME/bin/bash splencore.sh test will detail those commands

# I had to change the commands a little bit to get them working in my environment:
/opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test
# Please Enter the FMC IP:10.0.0.1


/opt/splunk/bin/splunk cmd openssl pkcs12 -in /opt/splunk/etc/apps/TA-eStreamer/bin/encore/"client.pkcs12" -clcerts -nokeys -out "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/10.0.0.1-8302_pkcs.cert"
#Enter Import Password:
#MAC verified OK


/opt/splunk/bin/splunk cmd openssl pkcs12 -in /opt/splunk/etc/apps/TA-eStreamer/bin/encore/"client.pkcs12" -nocerts -nodes -out "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/10.0.0.1-8302_pkcs.key"
# Enter Import Password:
# MAC verified OK

Create and update your local folder:

# app.conf
[install]
state = enabled

# encore.conf
[main]
client_enabled = 0
port = 8302
write_packets = 1
host = 10.0.0.1

# inputs.conf
# Where data is written to
[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
index = org_ids
disabled = 0

# The current status
[script://./bin/splencore.sh status]
index = org_admin_events
disabled = 0


# Maintain cleanliness every 15 mins - this should never have any output
[script://./bin/splencore.sh clean]
disabled = 0


# The main data source
[script://./bin/splencore.sh start]
disabled = 0

# props.conf
# Sourcetype
[cisco:estreamer:data]
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_PREFIX = \sevent_sec=
# the original 'TIME_PREFIX = event_sec' was being damaged by the 'orig_event_sec' field
# TIME_FORMAT = %s was commented out in the default

# NOTE: (Optional)the following transforms replaces the "source" field with the "rec_type_desc" 
# value. I find this to be helpful as it creates an efficient way to search your events after indexing
TRANSFORMS-extract_rec_type = estreamer_replace_source



# transforms.conf
[estreamer_replace_source]
DEST_KEY = MetaData:Source
REGEX = \srec_type_desc\=\"([^\"\=]+)"
FORMAT = source::$1

 

/opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test
Please Enter the FMC IP:10.0.0.1
#2020-09-14T14:04:46.643939 Diagnostics INFO Checking that configFilepath (estreamer.conf) exists
#2020-09-14 14:04:46,655 Diagnostics INFO Check certificate
#2020-09-14 14:04:46,655 Diagnostics INFO Creating connection
#2020-09-14 14:04:46,655 Connection INFO Connecting to 10.0.0.1:8302
#2020-09-14 14:04:46,655 Connection INFO Using TLS v1.2
#2020-09-14 14:04:46,892 Diagnostics INFO Creating request message
#2020-09-14 14:04:46,893 Diagnostics INFO Request message=b'0001000200000008ffffffff48900061'
#2020-09-14 14:04:46,893 Diagnostics INFO Sending request message
#2020-09-14 14:04:46,893 Diagnostics INFO Receiving response message
#2020-09-14 14:04:46,902 Diagnostics INFO Response
#2020-09-14 14:04:46,902 Diagnostics INFO Streaming info response
#2020-09-14 14:04:46,902 Diagnostics INFO Connection successful

# control commands:
# /opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh start
# /opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh status
# /opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh stop

If you run into additional issues here, I would suggest enabling/disabling the app and the scripted inputs through the UI.

Also, this app requires the pid and bookmark files in "/opt/splunk/etc/apps/TA-eStreamer/bin/encore"

Also,

0 Karma

nickleif
Loves-to-Learn

Hey joe, last line of your post about the bookmarks. Did you have to create that bookmark file manually? I get a "Bookmark file <path> not found" error in my estreamer logs.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...