All Apps and Add-ons

Does Cisco eStreamer for Splunk support eStreamer 6?

Olli1919
Path Finder

Hello,

I have not yet found a reference to Splunk eStreamer 6 connectivity in the documentation or the net. Has anyone tested yet if the app allows to pull eStreamer v6? Is there a roadmap date when v6 will be supported?

Thanks and regards,
Oliver

douglashurd
Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

douglashurd
Builder

There is a new add on for Firepower 6.x customers available right now: https://splunkbase.splunk.com/app/3662/

0 Karma

douglashurd
Builder

We have many customers running Firepower 6.0 with Splunk and the current Cisco eStreamer for Splunk App.

0 Karma

rsolutions
Path Finder

I think the issue is the current app doesn't pull in all of the new fields that v6 has to offer.

0 Karma

douglashurd
Builder

That is correct. The app was built against the 5.4 API specification. New stuff in 6.0 won't be forwarded.

What fields are you looking for? Do you know?

Doug

0 Karma

ChrisBell04
Communicator

@douglashurd
Looking for an update to both the eStreamer app and accompanying "Splunk Add-on for Cisco FireSIGHT" that's compatible with FMC 6.2.x. Since the field names have changed, the TA is no longer fully CIM compliant with the Intrusion Detection data model...which means info also is missing from Enterprise Security dashboards. This is just one of many possible examples.

0 Karma

rsolutions
Path Finder

I am working on a Splunk implementation for a large Telco... I'll ask, but I'm pretty sure the comment will be all fields as they have an extensive Splunk deployment.

0 Karma

douglashurd
Builder

OK good to know. If you can share any specifics or the country it would help me build the case for a new eStreamer app. I can be emailed directly here: dohurd@cisco.com I track this stuff.

0 Karma

JimGatMBCI
New Member

I am looking for all fields as we use Splunk for our long term storage since the Defense Center (FireSight..) can only hold about a day of our data at best.

0 Karma

douglashurd
Builder

There is a plan to build a new app. Its at a very early stage right now. Some number of months but it is planned.

The current app will work with FireSIGHT 6 but the data set will be the same as with 5.4.

jmartincot
Engager

We opened a ticket with Cisco and were pointed towards this bug entry: CSCuz95008

It appears to be that the Cisco eStreamer for Splunk App (currently v2.2.2) does not support the eStreamer user metadata format which was changed in 6.0. We are currently using Cisco FMC 6.1.0.1, Splunk 6.5.2 and eStreamer 2.2.2. As a result, our connection events reference a numerical value for the 'user' field instead of the actual username.

0 Karma

mikaelbje
Motivator

In case anyone else is looking for this, I can happily confirm that upgrading FMC and Firepower appliances to 6.2.0 resolves the issue with user IDs (CSCuz95008). We now have correct user IDs populated in the events.

0 Karma

jmartincot
Engager

I was able to upgrade our Firepower Appliance to 6.1.0.3 and the issue was resolved.

0 Karma

JimGatMBCI
New Member

Does anyone know who we need to pressure to increase the priority of the new version. I lost detail of meaningful user ID's on the data stream from 5.X to 6.X SourceFire because cisco(SourceFire) changed the way the internal database deals with user ID's to allow for multiple user realms. all I see now in the stream is the numeric representation of what I assume is a unique identifier for the user in a one t many database.
I have taken it to my enterprise rep but have heard nothing. I also have a ticket in on the issue.

0 Karma

Olli1919
Path Finder

Thank you for your replies. It is good to see Cisco extends the functionality. Looking at the Integration side, ArcSight seems to have said that they do not support eStreamer in the future, as they want CEF. I am not surprised to see this development. I just hope that open interfaces remain as important for the players as they are for their customers.

0 Karma

douglashurd
Builder

To clarify. We built an eStreamer client that converts the binary output from the API's Server to text and into a CEF format. Arcsight is no longer building on their eStreamer client known as a 'Smart Connector'.

0 Karma

douglashurd
Builder

Arcsight has recently certified their Smart Connector to work with Firepower 5.4.x./ No new schema items supported but it does work with 5.4.

0 Karma

sjaworski
Communicator

My organization is successfully using estreamer Version 2.2.1, build 172 with Cisco/Sourcefire 6.0.0 (build 1005). As documented in the release notes, pulling connection events can be hours behind. We had the same delays with Cisco/Sourcefire 5.x. All other estreamer events are pulled in a timely fashion. I do not know if there is a roadmap for official v6 support. You can trying contacting the author of the app.

JimGatMBCI
New Member

Are you seeing user ID's

0 Karma

douglashurd
Builder

A new Cisco eStreamer fro Splunk client/TA will be available in the end of April The current app does work with 6.x but there have been some reported issues.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!