All Apps and Add-ons

Is eStreamer required for the Splunk Add-on for Cisco FireSIGHT to be useful?

mikesangray
Path Finder

Is eStreamer required for this Add-on to be useful? The description says "leverages data collected via Cisco eStreamer", but is not clear on whether eStreamer is required. So I guess I'm looking for a clarification on "leverages" vs. required.

0 Karma

douglashurd
Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

You can ingest data using syslog or by using the eStreamer for Splunk App. Here are the syslog instructions: http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Inputs

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee
0 Karma

mikesangray
Path Finder

I've installed the TA, and I've set the sourcetype to cisco:sourcefire, but am not yet seeing everything I anticipated seeing.

I'm on FireSIGHT/Sourcefire 5.x and the docs seem to indicate that I should be using eStreamer and that syslog works for 4.x Sourcefire.

http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Description
Cisco FireSIGHT Managment Center version 5 eStreamer output
Sourcefire Defense Center version 4.X syslog or eStreamer output
Open-source Snort version 2.x

Also, http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Inputs
The Splunk Add-on for Cisco FireSIGHT can collect eStreamer data using the eStreamer for Splunk app, but you can also collect syslog data from 4.X Sourcefire appliances and open-source Snort IDS.

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Sorry, then no. The TA only ingests eStreamer output from Version 5.X.

As stated on http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Description , the add-on supports these only:
-- Cisco FireSIGHT Managment Center version 5 eStreamer output
-- Sourcefire Defense Center version 4.X syslog or eStreamer output
-- Open-source Snort version 2.x

0 Karma

mikesangray
Path Finder

That's what I thought. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...