Splunk Enterprise Security

Why eStreamer data from sourcefire is not getting tagged for IDS_Attacks datamodel?

att35
Builder

Hi,

We are indexing eStreamer logs from sourcefire and have the app, "eStreamer for Splunk" (2.2.1) and add-on, "Splunk Add-on for Cisco FireSIGHT" ( 3.3.2) installed on both Indexer and the Search-heads.

But when searching for sourcetype=eStreamer, I do not see any tags getting added to the events. no eventtypes either. As per the Add-on documentation, IDS events should be tagged as "ids" & "attack".

Also, the following query against the Data model does not return any results.

| datamodel Intrusion_Detection IDS_Attacks search | search sourcetype="eStreamer" 

I do see that few fields are correct as per CIM, e.g. ides_type, but not all.
e.g. data still returns with dest_ip instead of dest. This is despite the following fieldalias object being present.

alt text

Are we missing any additional setting/configuration or Am i searching the datamodel in a wrong way?

Any help would be appreciated.

Many Thanks,

~ Abhi

0 Karma

lakshman239
SplunkTrust
SplunkTrust

You can go to permissions [ via Manage Apps and selecting the estreamer app] and give read/write permissions to required roles and 'tick' All Apps under 'sharing for config file-only objects. This will make all knowledge objects global and ES and search app will be able to use it.

Also, if you want ES to specifically use it, you need to update etc/apps/SplunkEnterpriseSecuritySuite/local inputs.conf's regex to include "eStreamer"

0 Karma

douglashurd
Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

ArtS95147
New Member

(* /var/log/messages ) eStreamer

Check to see of eStreamer is found on your logs related to the application.

From New Search>alt text

0 Karma

att35
Builder

Hi ArtS95147,

Thanks for the comment. Can you please review the comment I just posted?

Changing permissions on these objects might resolve the issue but I am not sure if that is the correct way to go. Should I clone all objects instead or just change the permissions for the existing ones?

0 Karma

ArtS95147
New Member

Please ask others about the permission issue -- regards.

0 Karma

att35
Builder

I believe to have found the problem.

It appears that both tags and eventtypes are working as expected, but the ones which came with the eStreamer app have permissions set to the app(eStreamer) only. This must be the reason why neither "search & reporting" nor "Enterprise Security" apps could search the eStreamer data against the data model.

alt text

Also, some of the field aliases required by the model are only in eStreamer app and not in the add-on(permissions for objects within the addon are global, but do not help towards the data model)

alt text

I can try changing the permissions for these objects under "eStreamer" app from App only to Global and that should allow other apps like ES to make use of these tags/eventtypes, but not sure if that is the suggested way to resolve this issue.

Any suggestions?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...