I am helping our security team with getting Sourcefire data into Splunk, which took me to the "Cisco eStreamer for Splunk" app.
The first thing for configuring eStreamer is that, I need the security team to create a client certificate and install it in the eStreamer app. However, the security team does not want to give out a cert, which is basically a key to the entire Sourcefire kingdom.
So the question is: Is there a way to install eStreamer so that it is totally under the control of the security team?
In its current shape, that does not seem to be possible, at least not easy. Or is it?
Thanks for any insights.
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
eStreamer eNcore
https://splunkbase.splunk.com/app/3662/
eNcore Dashboard
https://splunkbase.splunk.com/app/3663/
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
The certificate that SourceFire creates is for a specific IP address, viz., the address of the Splunk server. It identifies the Splunk server to SourceFire and says I'm a legitimate connection, please send me logs. I suppose someone could steal the certificate and spoof the IP address. Mitigating factors are the certificate can be protected by a password that only the security team would know. Also, the certificate could be transferred by sneakernet from the SourceFire server to the Splunk server. The directory on the Splunk server where the certificate is installed is only accessible by a privileged user.