Is eStreamer required for this Add-on to be useful? The description says "leverages data collected via Cisco eStreamer", but is not clear on whether eStreamer is required. So I guess I'm looking for a clarification on "leverages" vs. required.
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
I've installed the TA, and I've set the sourcetype to cisco:sourcefire, but am not yet seeing everything I anticipated seeing.
I'm on FireSIGHT/Sourcefire 5.x and the docs seem to indicate that I should be using eStreamer and that syslog works for 4.x Sourcefire.
Cisco FireSIGHT Managment Center version 5 eStreamer output
Sourcefire Defense Center version 4.X syslog or eStreamer output
Open-source Snort version 2.x
The Splunk Add-on for Cisco FireSIGHT can collect eStreamer data using the eStreamer for Splunk app, but you can also collect syslog data from 4.X Sourcefire appliances and open-source Snort IDS.
Sorry, then no. The TA only ingests eStreamer output from Version 5.X.
As stated on http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Description , the add-on supports these only:
-- Cisco FireSIGHT Managment Center version 5 eStreamer output
-- Sourcefire Defense Center version 4.X syslog or eStreamer output
-- Open-source Snort version 2.x