All Apps and Add-ons

Estreamer: second FMC,Estreamer - how to add second firepower FMC

New Member

Hello Team,

How to add second FMC/DC to estreamer app ?

Thanks,
,Hello Team,

I have splunk with estreamer application configured with one of my Firepower Management Console.
Now - i would like to add a second one - how to do it ?
(it looks like this app can be configured only with one FMC ?)

Thanks,
Michal

0 Karma

Builder

You need to create a second directory and a second incidence of eNcore in order to collect data from two FMCs.

0 Karma

Builder

Multiple FMCs can connect to this version. See below:

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

Explorer

Yeah we have a single pair of huge load balanced HA forwarders which means we can only download logs from one FMC.

Even if we did have multiple pairs of HA forwarders how would we configure the app with different FMCs? Our testing has found that the paths are hard coded in this TA which means we cannot rename the TA to store two copies in GIT. Maybe some clever stuff on the deployment to deploy the vanilla TA and then copy in the forwarder specific config over the top? Bit messy really.

To be honest I have yet to find a good reason justifying the pain (and reduced resiliency) pulling the logs via eStreamer offers over and above syslog logs. Does anyone have any info on exactly what FMC log detail is available over eStreamer compared to syslog? I could really use some justification for the R&D effort to get this TA working in a large Enterprise.

0 Karma

Explorer

"Multiple FMCs can connect to this version. "

No - that's a bit misleading @douglashurd - The app supports one FMC. You require multiple versions of the app, however this does not work because the app cannot be renamed without breaking it due to absolute paths being used in many places within the app.

You need one heavy forwarder host per FMC which is madness as other log collection methods support hundreds or even thousands of hosts for each heavy forwarder depending on specification.

Even if you have multiple heavy forwarders deployment via a central repository such as GIT is challenging as the apps have the same name, which may force a re-engineering of the deployment methods.

Really needs to support multiple FMC's in the same app. Better yet - just sent the same events over syslog and bury the eStreamer protocol....

Not enterprise ready 😞

Builder

We certainly want to move on from eStreamer and it will eventually be replaced with fully qualified events in clear text like syslog direct from the FMC. We've already begun transitioning by offering syslog off the appliance for Intrusion, Connection and File events. I don't have a solid date on the estreamer API however. We're stuck with it for a while.

A number of customers have asked for support for multiple FMCs from the same TA. There's a hi level design but its not committed yet.

0 Karma

I tried multiple instances with a rename like this:
$SPLUNK_HOME/etc/apps/TA-eStreamer-boston
$SPLUNK_HOME/etc/apps/TA-eStreamer-detroit

but ran into script issues as it expects the name to be "TA-eStreamer"
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh clean" find: ‘../../data’: No such file or directory

Explorer

I have done something similar and edited all the associated configuration files. When I restart splunk only the original instance is automatically started although I can force the second instance to run using nohup.

Playing around with both instances there appears to be some configuration conflicts as when I attempt to manually the start the second instance it starts the first instance as well but not vice versa.

0 Karma

Explorer

I tried to copy APP in Splunk directory, and configure another FMC IP in second eNCore add-on. But in setup page, only one certificate upload directory. it will overwrite certificate in first eNcore add-on. How to do it make eNcore support two FMC integration?

$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/client.pkcs12

Builder

You will need to sun a second instance of the Cisco eStreamer for Splunk app for the second FMC. If the second FMC is part of an HA pair then you will get duplicate events.

0 Karma

Path Finder

So, how to provide a redundancy without duplicating the events?

Also could you mention how to install the second instance of the Cisco eStreamer for Splunk app?

Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!