All Apps and Add-ons

Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?

kiran331
Builder

What configurations are to be made on the Defense Center and on Cisco eStreamer for Splunk in order to get the IDS/IPS events only? Right now we are getting a huge amount of RNA logs in Splunk. We have enabled Log flows, Log packets in the application, and on the Defense Center everything is enabled. What changes do I have to make to avoid huge amount of logs?
alt text

0 Karma
1 Solution

douglashurd
Builder

I cannot see the important parts of the estreamer configuration page due to how the screen grab is cropped. By checking the event types you make them available to a requesting client like the Cisco eStreamer App for Splunk.

Uncheck them and the events will not be forwarded.

On the actual eStreamer configuration options page on the Splunk console there is a box you can enable or disable to eliminate flow logs as well.

In the Overview Tab on this page: https://splunkbase.splunk.com/app/1629/ you can see the option.

View solution in original post

douglashurd
Builder

I cannot see the important parts of the estreamer configuration page due to how the screen grab is cropped. By checking the event types you make them available to a requesting client like the Cisco eStreamer App for Splunk.

Uncheck them and the events will not be forwarded.

On the actual eStreamer configuration options page on the Splunk console there is a box you can enable or disable to eliminate flow logs as well.

In the Overview Tab on this page: https://splunkbase.splunk.com/app/1629/ you can see the option.

kiran331
Builder

HI Douglashurd,

What boxes i have to check on Splunk app if i have to see only IDS/IPS events but not RNS events?

0 Karma

douglashurd
Builder

Just the Intrusion Events. I'd recommend you also check Impact Flag, Intrusion Extra data and Intrusion Event Packet Data if you want the packet payload. Leave everything else unchecked.

0 Karma

kiran331
Builder

Thanks douglashurd, Do i have to check log flows on the splunk estreamer?

0 Karma

douglashurd
Builder

The flow on/off switch in the Splunk configuration page will only allow flow data to be sent to the Splunk platform if Connection Events (we used to call them RNA flow events) are enabled at the Firepower Management Center eStreamer configuration page other wise they won't be available to splunk.

0 Karma

ddrillic
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...