I have not yet found a reference to Splunk eStreamer 6 connectivity in the documentation or the net. Has anyone tested yet if the app allows to pull eStreamer v6? Is there a roadmap date when v6 will be supported?
Thanks and regards,
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
Looking for an update to both the eStreamer app and accompanying "Splunk Add-on for Cisco FireSIGHT" that's compatible with FMC 6.2.x. Since the field names have changed, the TA is no longer fully CIM compliant with the Intrusion Detection data model...which means info also is missing from Enterprise Security dashboards. This is just one of many possible examples.
There is a plan to build a new app. Its at a very early stage right now. Some number of months but it is planned.
The current app will work with FireSIGHT 6 but the data set will be the same as with 5.4.
We opened a ticket with Cisco and were pointed towards this bug entry: CSCuz95008
It appears to be that the Cisco eStreamer for Splunk App (currently v2.2.2) does not support the eStreamer user metadata format which was changed in 6.0. We are currently using Cisco FMC 18.104.22.168, Splunk 6.5.2 and eStreamer 2.2.2. As a result, our connection events reference a numerical value for the 'user' field instead of the actual username.
In case anyone else is looking for this, I can happily confirm that upgrading FMC and Firepower appliances to 6.2.0 resolves the issue with user IDs (CSCuz95008). We now have correct user IDs populated in the events.
Does anyone know who we need to pressure to increase the priority of the new version. I lost detail of meaningful user ID's on the data stream from 5.X to 6.X SourceFire because cisco(SourceFire) changed the way the internal database deals with user ID's to allow for multiple user realms. all I see now in the stream is the numeric representation of what I assume is a unique identifier for the user in a one t many database.
I have taken it to my enterprise rep but have heard nothing. I also have a ticket in on the issue.
Thank you for your replies. It is good to see Cisco extends the functionality. Looking at the Integration side, ArcSight seems to have said that they do not support eStreamer in the future, as they want CEF. I am not surprised to see this development. I just hope that open interfaces remain as important for the players as they are for their customers.
To clarify. We built an eStreamer client that converts the binary output from the API's Server to text and into a CEF format. Arcsight is no longer building on their eStreamer client known as a 'Smart Connector'.
My organization is successfully using estreamer Version 2.2.1, build 172 with Cisco/Sourcefire 6.0.0 (build 1005). As documented in the release notes, pulling connection events can be hours behind. We had the same delays with Cisco/Sourcefire 5.x. All other estreamer events are pulled in a timely fashion. I do not know if there is a roadmap for official v6 support. You can trying contacting the author of the app.