Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

e_mazza
New Member
‎03-16-2018 08:08 AM

Hello,
I setup correctly Cisco eStreamer 3.0.0 but I see that is not CIM and Enterprise Security won't see the data correctly.
Does anyone know if there will be a new version of CIM? Or the best way is to use the old 2.2.2 which is CIM?

Many Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mhessel
Path Finder
‎03-27-2018 09:40 AM

In the new eStreamer eNcore I found a couple issues that might cause this:

  1. the eventtypes are defined in the eStreamer-Dashboard app, not in the TA-eStreamer one, so make sure you install both.
  2. there are typos in the eStreamer-Dashboard default tags.conf.. all of the eventtypes there use dashes in place of the underscore present in the eventtypes.conf. -- updating the tags.conf and replacing all "-" with "_" resolves that.

Example, I changed:
[eventtype=estreamer-ids-ips-event]

to

[eventtype=estreamer_ids_ips_event]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

e_mazza
New Member
‎04-05-2018 06:05 AM

I solved fixing the tags inside the estreamer dashboard.

0 Karma
Reply
Solved! Jump to solution
Solution

mhessel
Path Finder
‎03-27-2018 09:40 AM

In the new eStreamer eNcore I found a couple issues that might cause this:

  1. the eventtypes are defined in the eStreamer-Dashboard app, not in the TA-eStreamer one, so make sure you install both.
  2. there are typos in the eStreamer-Dashboard default tags.conf.. all of the eventtypes there use dashes in place of the underscore present in the eventtypes.conf. -- updating the tags.conf and replacing all "-" with "_" resolves that.

Example, I changed:
[eventtype=estreamer-ids-ips-event]

to

[eventtype=estreamer_ids_ips_event]

0 Karma
Reply
Solved! Jump to solution

e_mazza
New Member
‎04-06-2018 06:19 AM

I confirm this is how I solved.
Many thanks!

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-16-2018 08:59 AM

Why do you say it is not CIM?

I took a look at the tags and eventtypes and they will surely be matched agains CIM. Am I missing something here?

0 Karma
Reply
Solved! Jump to solution

e_mazza
New Member
‎03-18-2018 02:32 PM

I saw that there's no CIM in the app description, so I thought it was not compliant.
After investigating a bit I could see a few tag and eventypes, but i don't see anything matched.
In the logs I receive there's a lot of fields that are not matched (here the list of the possible fields I have).
source
sourcetype
app
app_proto
dest
dest_ip
fw_rule
http_response
rule
src
src_ip
url
user
time
index
linecount
splunk_server

I'm pretty sure that I should have a ton of other fields. Can you confirm that I should see more things?
Many thanks

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-18-2018 04:18 PM

The fields you should see strictly depend on what DataModel are your events being mapped against.
The list of fields you are showing me are pretty much the expected ones for NetworkTraffic DataModel I think, so don't assume it is not CIM compliant.

More, you don't need to have all the fields of a data model in your data. Rarely you'll have them all in fact.

Check here which fields each Data model of enterprise security has.

http://docs.splunk.com/Documentation/CIM/4.9.1/User/Authentication

0 Karma
Reply
Solved! Jump to solution

e_mazza
New Member
‎03-26-2018 01:00 AM

It seems that there are no tags so the data cannot be used in any datamodel. Is this a normal behavior?
In estreamer TA there are no Tags, in estreamer dashboard there are eventtypes but again no tags.
I put a picture here:
https://imgur.com/MwrXzqf

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...