How do you set the estreamer app to use a password for the pkcs file? I am able to test connectivity by passing it on the commandline for ssl_test.pl but how do i specify the password for the app to use by default?
Also, how do the events make it into splunk?
This solution helps resolve this error message:
[07:20][bin]$ python estreamer.py
[07:20][bin]$ SFPkcs12 : Unable to get certificate
First, there are a few prerequisites to ensure this solution works:
There are three additional caveats:
The solution lies in modifying two of the files found in $SPLUNK_HOME/etc/apps/Sourcefire/bin:
Start by making local backup copies of both files. Now, edit the SFPkcs12.pm file and locate line 25. It should look like this:
$opts->(password) = ''
Insert your certificate's password between the two single quotes, like so:
$opts->(password) = 'my_awesome_password'
Save the file. Now, edit the estreamer.py file and locate line 56. It should look like this:
estreamer = subprocess.Popen("%s %s -o splunk" % \
Insert your certificate's password and the "-pa" flag between the letter k and the double-quote, like so:
estreamer = subprocess.Popen("%s %s -o splunk -pa=my_awesome_password" % \
Save the file. Run the estreamer.py script again and you should see Sourcefire events appear on STDOUT. Enable the estreamer.py input, if necessary. Sourcefire events should start appearing in Splunk with sourcetype=estreamer.
To answer your second question, the estreamer.py script collects events from the Defense Center and logs them to $SPLUNK_HOME/etc/apps/Sourcefire/log/estreamer.log and/or $SPLUNK_HOME/etc/apps/Sourcefire/log/estreamer_pcap.log. Splunk monitors those two files and indexes new data as it appears in those files. See the app's inputs.conf files for more details.