So, I have got 2 instances of Cisco Firepower management centers. I need to connect these 2 FMCs to our eStreamer eNcore Add-on for Splunk. I have gone through almost all of the answers related to this issue, but couldn't find an accepted/working resolution.
In our infra, the "client.pkcs12" is same for both the FMCs; thereby, implying that I can use the same file to connect to both the FMCs. However, the configuration set-up of "eStreamer eNcore Add-On" restricts me to enter only 1 FMC's IP address.
Question-1: Is there way I can enter multiple FMC's IP addresses ......or
Question-2: Is there a way that we can configure our Splunk forwarder to receive logs from 2 different FMCs.
Similar setup for me but I have 1 FMC and 1 Indexer. I have multiple domain on the FMC and am trying to send logs to seperate indexes. Can the same client.pkcs12 file and password be used under each domain?
I think the approach they have taken is to have instances of the same add-on [ you need to have diff names though] and then configure them with diff/same pkcs file to pull data from the FMC. This would work as splunk will see them as two diff data source]. You would need to ensure local/apps.conf, inputs.conf are updated to have unique app name and path (monitor stanza) for the data files to be ingested to splunk.