All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fix Cisco Security Suite eStreamer data not populating problem

philip_w
Explorer
‎08-01-2017 01:55 AM

I found "Sourcefire IPS" section in Cisco Security Suite didn't have any data or chart populated.
Drill down a bit, it's because 2 macros relying on are referring to index=estreamer. In case of using eventgen, simulation data is output to index=main. If we're capturing eStreamer data and not specify index=estream, would also cause the same problem. I suggest Splunk would update the app and take away such dependence.

My interim solution is to have following macros.conf in local to override default macros.conf

[SfeS-estreamer-logs]
definition = sourcetype=estreamer OR sourcetype=cisco:sourcefire

[SfeS-client-check-logs]
definition = sourcetype=client_check

alt text

alt text

Preview file
334 KB
Preview file
190 KB
0 Karma
Reply

htidore
Path Finder
‎10-25-2017 12:05 AM

There are two problems with Cisco Security Suite v312 using Cisco eStreamer eNcore addon for Splunk v300 (for FMC v6).
The first one is Cisco Security Suite expects logs in index called estreamer. The solution is create inputs.conf under opt/splunk/etc/apps/TA-eStreamer/local/

[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
disabled = false
index = estreamer

[script://./bin/splencore.sh start]
disabled = 0
index = estreamer

[script://./bin/splencore.sh status]
disabled = 0
index = estreamer

The second problem is the macro used in Cisco Security Suite. The solution is to create etc/apps/Splunk_CiscoSecuritySuite/local/macros.conf

[SfeS-index]
definition = index=estreamer

[SfeS-estreamer-logs]
definition = `SfeS-index` sourcetype=cisco:estreamer:data

[SfeS-client-check-logs]
definition = `SfeS-index` sourcetype=cisco:estreamer:status
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...