This solution helps resolve this error message:
[07:20][bin]$ python estreamer.py
[07:20][bin]$ SFPkcs12 : Unable to get certificate
First, there are a few prerequisites to ensure this solution works:
You have generated an eStreamer client certificate using Sourcefire's Defense Center GUI.
The password on the certificate does not have any special characters that require escaping in the scripts below.
You have read and implemented the following instructions:
$SPLUNK_HOME/etc/apps/Sourcefire/README file
$SPLUNK_HOME/etc/apps/Sourcefire/bin/README file
$SPLUNK_HOME/etc/apps/Sourcefire/docs folder
There are three additional caveats:
The ssl_test.pl script doesn't seem to like any extra .pkcs12 files lying around in the $SPLUNK_HOME/etc/apps/Sourcefire/bin directory. Remove any unused .pkcs12 files from that directory.
The certificate password will appear in cleartext in various internal Splunk logs and it may appear in "ps" output. It is outside of the scope of this answer to provide obfuscation techniques for this issue.
This solution does not scale beyond one Sourcefire Defense Center. If there is a need to communicate with more than one Defense Center, create a second copy of the Sourcefire App (for example, $SPLUNK_HOME/etc/apps/Sourcefire2) and make similar changes to the copy.
The solution lies in modifying two of the files found in $SPLUNK_HOME/etc/apps/Sourcefire/bin:
SFPkcs12.pm, and
estreamer.py
Start by making local backup copies of both files. Now, edit the SFPkcs12.pm file and locate line 25. It should look like this:
$opts->(password) = ''
Insert your certificate's password between the two single quotes, like so:
$opts->(password) = 'my_awesome_password'
Save the file. Now, edit the estreamer.py file and locate line 56. It should look like this:
estreamer = subprocess.Popen("%s %s -o splunk" % \
Insert your certificate's password and the "-pa" flag between the letter k and the double-quote, like so:
estreamer = subprocess.Popen("%s %s -o splunk -pa=my_awesome_password" % \
Save the file. Run the estreamer.py script again and you should see Sourcefire events appear on STDOUT. Enable the estreamer.py input, if necessary. Sourcefire events should start appearing in Splunk with sourcetype=estreamer.
To answer your second question, the estreamer.py script collects events from the Defense Center and logs them to $SPLUNK_HOME/etc/apps/Sourcefire/log/estreamer.log and/or $SPLUNK_HOME/etc/apps/Sourcefire/log/estreamer_pcap.log. Splunk monitors those two files and indexes new data as it appears in those files. See the app's inputs.conf files for more details.
... View more