All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Cisco eStreamer for Splunk app to pull data from sourceFire?

perftechy
New Member
‎06-26-2014 10:59 AM

eStreamer app seems to a great tool for visualizing all kinds of traffic going to sourceFire.

Just installed the latest splunk (6.1.1) and latest eStreamer (2.1.5), trying to configure it.

The problem is, I don't know what to fill for the field "Certificate path and filename" and what to configure on sourceFire Defense center side to allow an eStreamer client to connect and pull logs.

I have the admin login for the defense center, I don't see where in defense center to configure eStreamer client (say, client IP, or client certificate) either.

Thanks in advance,

Jin

0 Karma
Reply

tosilesi
New Member
‎06-27-2014 10:10 AM

You can download a nice KB article from within your Sourcefire account that explains exactly how to do this almost step by step. The name of it is "eStreamer Integration Guide". You'll find that you need to install several Perl modules on your Splunk server before eStreamer will work.

0 Karma
Reply

rstrong30
Loves-to-Learn
‎08-24-2015 04:34 PM

I'm working on estreamer setup and Documentation is far from complete to the point of frustration. I'll figure it out eventually!

0 Karma
Reply

perftechy
New Member
‎06-27-2014 10:41 AM

Thanks @tosilesi for the pointer. I am having my sales guy to get an account for me. At this point, I have installed all the perl module needed on the linux running splunk and estreamer client seems to run fine. I guess I will need to look at the guide for eStreamer configuration. Thanks.

0 Karma
Reply

cgrady_sf
Path Finder
‎06-26-2014 11:07 AM

Hello, Jin.

Within the app, there is a Help menu and under that a Documentation menu item. If you select that, it should provide some guidance. Additionally, the Documentation from the app page on the Splunk App portal (http://apps.splunk.com/app/1629/) will provide the same detail.

The short answer is that you need to generate a client certificate from the Sourcefire Defense Center. This can be done from the System > Local > Registration menu. Once there, select the appropriate events from the left, then hit Save. Next, use the Create Client button to generate a client certificate. Download that certificate and place it on the Splunk server where the app resides, and put the path to that certificate in the box you're asking about.

Best of luck,
Colin Grady

Reply

cgrady_sf
Path Finder
‎07-02-2014 07:33 AM

Flows/connections come across via the Discovery Events in the eStreamer configuration.

0 Karma
Reply

perftechy
New Member
‎06-26-2014 12:19 PM

Thanks a lot Colin for the quick answer. I was able to follow it and get the certificate downloaded from defense center and pointed to from splunk. But when I run traffic through virtual device, I don't see anything showing up on splunk eStreamer app. I.e. I don't see the flow events. I guess the problem is on the config of defense center : I only see the following log types.
Discovery Events

Correlation and White List Events

Impact Flag Alerts

Intrusion Events

Intrusion Event Packet Data
User Activity

Intrusion Event Extra Data

Malware Events

File Events
Any idea?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...