All Apps and Add-ons

Cisco Firepower eStreamer eNcore Add-on for Splunk version 4 Install

Path Finder

I know this version is still in beta, I personally had a lot of issues getting it to install properly. In case it would help someone else, I wanted to provide some notes I wrote up. 

Labels (1)
0 Karma

Path Finder

You do not need to create a bookmark file. One reason you might want to would be to avoid ingesting old data.

0 Karma

Path Finder

# Where "10.0.0.1" is the IP of your defense center

 

# Install the app through the UI and restart

# Missing steps:
# Edit the '/opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh' and '/opt/splunk/etc/apps/TA-eStreamer/bin/configure.sh' adding the environment variable.
# For most, that will just be uncommenting out "#SPLUNK_HOME=/opt/splunk"

# Make sure your cert is located here: /opt/splunk/etc/apps/TA-eStreamer/bin/encore/client.pkcs12

# Instructions:
# TLS communication with the FMC, running the start up script, $SPLUNK_HOME/bin/bash splencore.sh test will detail those commands

# I had to change the commands a little bit to get them working in my environment:
/opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test
# Please Enter the FMC IP:10.0.0.1


/opt/splunk/bin/splunk cmd openssl pkcs12 -in /opt/splunk/etc/apps/TA-eStreamer/bin/encore/"client.pkcs12" -clcerts -nokeys -out "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/10.0.0.1-8302_pkcs.cert"
#Enter Import Password:
#MAC verified OK


/opt/splunk/bin/splunk cmd openssl pkcs12 -in /opt/splunk/etc/apps/TA-eStreamer/bin/encore/"client.pkcs12" -nocerts -nodes -out "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/10.0.0.1-8302_pkcs.key"
# Enter Import Password:
# MAC verified OK

Create and update your local folder:

# app.conf
[install]
state = enabled

# encore.conf
[main]
client_enabled = 0
port = 8302
write_packets = 1
host = 10.0.0.1

# inputs.conf
# Where data is written to
[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
index = org_ids
disabled = 0

# The current status
[script://./bin/splencore.sh status]
index = org_admin_events
disabled = 0


# Maintain cleanliness every 15 mins - this should never have any output
[script://./bin/splencore.sh clean]
disabled = 0


# The main data source
[script://./bin/splencore.sh start]
disabled = 0

# props.conf
# Sourcetype
[cisco:estreamer:data]
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_PREFIX = \sevent_sec=
# the original 'TIME_PREFIX = event_sec' was being damaged by the 'orig_event_sec' field
# TIME_FORMAT = %s was commented out in the default

# NOTE: (Optional)the following transforms replaces the "source" field with the "rec_type_desc" 
# value. I find this to be helpful as it creates an efficient way to search your events after indexing
TRANSFORMS-extract_rec_type = estreamer_replace_source



# transforms.conf
[estreamer_replace_source]
DEST_KEY = MetaData:Source
REGEX = \srec_type_desc\=\"([^\"\=]+)"
FORMAT = source::$1

 

/opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test
Please Enter the FMC IP:10.0.0.1
#2020-09-14T14:04:46.643939 Diagnostics INFO Checking that configFilepath (estreamer.conf) exists
#2020-09-14 14:04:46,655 Diagnostics INFO Check certificate
#2020-09-14 14:04:46,655 Diagnostics INFO Creating connection
#2020-09-14 14:04:46,655 Connection INFO Connecting to 10.0.0.1:8302
#2020-09-14 14:04:46,655 Connection INFO Using TLS v1.2
#2020-09-14 14:04:46,892 Diagnostics INFO Creating request message
#2020-09-14 14:04:46,893 Diagnostics INFO Request message=b'0001000200000008ffffffff48900061'
#2020-09-14 14:04:46,893 Diagnostics INFO Sending request message
#2020-09-14 14:04:46,893 Diagnostics INFO Receiving response message
#2020-09-14 14:04:46,902 Diagnostics INFO Response
#2020-09-14 14:04:46,902 Diagnostics INFO Streaming info response
#2020-09-14 14:04:46,902 Diagnostics INFO Connection successful

# control commands:
# /opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh start
# /opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh status
# /opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh stop

If you run into additional issues here, I would suggest enabling/disabling the app and the scripted inputs through the UI.

Also, this app requires the pid and bookmark files in "/opt/splunk/etc/apps/TA-eStreamer/bin/encore"

Also,

0 Karma

Loves-to-Learn

Hey joe, last line of your post about the bookmarks. Did you have to create that bookmark file manually? I get a "Bookmark file <path> not found" error in my estreamer logs.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!