Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Cisco eStreamer roadmap?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco eStreamer roadmap?
I am helping our security team with getting Sourcefire data into Splunk, which took me to the "Cisco eStreamer for Splunk" app.
The first thing for configuring eStreamer is that, I need the security team to create a client certificate and install it in the eStreamer app. However, the security team does not want to give out a cert, which is basically a key to the entire Sourcefire kingdom.
So the question is: Is there a way to install eStreamer so that it is totally under the control of the security team?
In its current shape, that does not seem to be possible, at least not easy. Or is it?
Thanks for any insights.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
eStreamer eNcore
https://splunkbase.splunk.com/app/3662/
eNcore Dashboard
https://splunkbase.splunk.com/app/3663/
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The certificate that SourceFire creates is for a specific IP address, viz., the address of the Splunk server. It identifies the Splunk server to SourceFire and says I'm a legitimate connection, please send me logs. I suppose someone could steal the certificate and spoof the IP address. Mitigating factors are the certificate can be protected by a password that only the security team would know. Also, the certificate could be transferred by sneakernet from the SourceFire server to the Splunk server. The directory on the Splunk server where the certificate is installed is only accessible by a privileged user.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
