All Apps and Add-ons

Fix Cisco Security Suite eStreamer data not populating problem

philip_w
Explorer

I found "Sourcefire IPS" section in Cisco Security Suite didn't have any data or chart populated.
Drill down a bit, it's because 2 macros relying on are referring to index=estreamer. In case of using eventgen, simulation data is output to index=main. If we're capturing eStreamer data and not specify index=estream, would also cause the same problem. I suggest Splunk would update the app and take away such dependence.

My interim solution is to have following macros.conf in local to override default macros.conf

[SfeS-estreamer-logs]
definition = sourcetype=estreamer OR sourcetype=cisco:sourcefire

[SfeS-client-check-logs]
definition = sourcetype=client_check

alt text

alt text

0 Karma

htidore
Path Finder

There are two problems with Cisco Security Suite v312 using Cisco eStreamer eNcore addon for Splunk v300 (for FMC v6).
The first one is Cisco Security Suite expects logs in index called estreamer. The solution is create inputs.conf under opt/splunk/etc/apps/TA-eStreamer/local/

[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
disabled = false
index = estreamer

[script://./bin/splencore.sh start]
disabled = 0
index = estreamer

[script://./bin/splencore.sh status]
disabled = 0
index = estreamer

The second problem is the macro used in Cisco Security Suite. The solution is to create etc/apps/Splunk_CiscoSecuritySuite/local/macros.conf

[SfeS-index]
definition = index=estreamer

[SfeS-estreamer-logs]
definition = `SfeS-index` sourcetype=cisco:estreamer:data

[SfeS-client-check-logs]
definition = `SfeS-index` sourcetype=cisco:estreamer:status
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...