I have not yet found a reference to Splunk eStreamer 6 connectivity in the documentation or the net. Has anyone tested yet if the app allows to pull eStreamer v6? Is there a roadmap date when v6 will be supported?
Thanks and regards,
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
There is a new add on for Firepower 6.x customers available right now: https://splunkbase.splunk.com/app/3662/
We have many customers running Firepower 6.0 with Splunk and the current Cisco eStreamer for Splunk App.
I think the issue is the current app doesn't pull in all of the new fields that v6 has to offer.
That is correct. The app was built against the 5.4 API specification. New stuff in 6.0 won't be forwarded.
What fields are you looking for? Do you know?
Looking for an update to both the eStreamer app and accompanying "Splunk Add-on for Cisco FireSIGHT" that's compatible with FMC 6.2.x. Since the field names have changed, the TA is no longer fully CIM compliant with the Intrusion Detection data model...which means info also is missing from Enterprise Security dashboards. This is just one of many possible examples.
I am working on a Splunk implementation for a large Telco... I'll ask, but I'm pretty sure the comment will be all fields as they have an extensive Splunk deployment.
OK good to know. If you can share any specifics or the country it would help me build the case for a new eStreamer app. I can be emailed directly here: firstname.lastname@example.org I track this stuff.
I am looking for all fields as we use Splunk for our long term storage since the Defense Center (FireSight..) can only hold about a day of our data at best.
There is a plan to build a new app. Its at a very early stage right now. Some number of months but it is planned.
The current app will work with FireSIGHT 6 but the data set will be the same as with 5.4.
We opened a ticket with Cisco and were pointed towards this bug entry: CSCuz95008
It appears to be that the Cisco eStreamer for Splunk App (currently v2.2.2) does not support the eStreamer user metadata format which was changed in 6.0. We are currently using Cisco FMC 18.104.22.168, Splunk 6.5.2 and eStreamer 2.2.2. As a result, our connection events reference a numerical value for the 'user' field instead of the actual username.
In case anyone else is looking for this, I can happily confirm that upgrading FMC and Firepower appliances to 6.2.0 resolves the issue with user IDs (CSCuz95008). We now have correct user IDs populated in the events.
I was able to upgrade our Firepower Appliance to 22.214.171.124 and the issue was resolved.
Does anyone know who we need to pressure to increase the priority of the new version. I lost detail of meaningful user ID's on the data stream from 5.X to 6.X SourceFire because cisco(SourceFire) changed the way the internal database deals with user ID's to allow for multiple user realms. all I see now in the stream is the numeric representation of what I assume is a unique identifier for the user in a one t many database.
I have taken it to my enterprise rep but have heard nothing. I also have a ticket in on the issue.
Thank you for your replies. It is good to see Cisco extends the functionality. Looking at the Integration side, ArcSight seems to have said that they do not support eStreamer in the future, as they want CEF. I am not surprised to see this development. I just hope that open interfaces remain as important for the players as they are for their customers.
To clarify. We built an eStreamer client that converts the binary output from the API's Server to text and into a CEF format. Arcsight is no longer building on their eStreamer client known as a 'Smart Connector'.
Arcsight has recently certified their Smart Connector to work with Firepower 5.4.x./ No new schema items supported but it does work with 5.4.
My organization is successfully using estreamer Version 2.2.1, build 172 with Cisco/Sourcefire 6.0.0 (build 1005). As documented in the release notes, pulling connection events can be hours behind. We had the same delays with Cisco/Sourcefire 5.x. All other estreamer events are pulled in a timely fashion. I do not know if there is a roadmap for official v6 support. You can trying contacting the author of the app.
Are you seeing user ID's
A new Cisco eStreamer fro Splunk client/TA will be available in the end of April The current app does work with 6.x but there have been some reported issues.