topic Re: Estreamer to Logstash? in Network Security

Estreamer to Logstash?

babiojd01 — Fri, 21 Feb 2020 15:48:42 GMT

Does anyone have a sample config they have used to retrieve event streamer data to logstash? Seems to be the only way to get relevant alerting beings there is no api access to retrieve signature alerts or anything like that.

Re: Estreamer to Logstash?

SeSc — Fri, 25 May 2018 11:57:04 GMT

Do you need it also for IDS events? Cause I have the problem that the new FTD IDS sensor seems not to send any IDS events, only ACP Events...

Re: Estreamer to Logstash?

babiojd01 — Fri, 25 May 2018 12:21:26 GMT

Our environment is purely Firepower on top of ASA. Currently no production FTD so hopefully whatever you have works?

Re: Estreamer to Logstash?

dohurd — Fri, 25 May 2018 15:47:53 GMT

There is a sort of generic estreamer client called eNcore which supports plug ins. The base client code simple collects all the events from the estreamer queue on the FMC and converts this binary data to text and writes it to disk. There is a Splunk, CEF and JSON plugins and a few 3rd parties have written their own. Maybe a logstash plugin could be written. Please email me at dohurd@cisco.com if you want to know more

Re: Estreamer to Logstash?

dohurd — Fri, 25 May 2018 15:47:53 GMT

Re: Estreamer to Logstash?

babiojd01 — Sat, 26 May 2018 23:22:10 GMT

https://developer.cisco.com/site/firepower/ so I downloaded this to pull the events via estreamer. The csv file part doesn't seem to work. The only thing that does work is sending the alerts to syslog or send them to print screen. If I could get the events via json I know how to parse them into logstash.

Re: Estreamer to Logstash?

babiojd01 — Sun, 27 May 2018 18:03:56 GMT

I have figured out how to use the sdk to get the estreamer output to syslog but I don't see alerts for malware events. I do see them when the output is switched print. Anyone have any insight?

Re: Estreamer to Logstash?

dohurd — Fri, 29 Jun 2018 17:48:05 GMT

If help is still needed on eStreamer and Logstash please email me directly at dohurd@cisco.com. IDS event data as well as AMP and Connection events ARE available directly off the FTD device.

Re: Estreamer to Logstash?

babiojd01 — Wed, 11 Jul 2018 16:00:30 GMT

I thankfully received the encore client from Doug at cisco but for some reason or another i only receive some alerts not every thing coming from the FirePower Manager. I ran specific tests and I see my snort alerts go out via syslog to the syslog server but estreamer isn't send them? Very strange behavior.

Re: Estreamer to Logstash?

dohurd — Tue, 17 Jul 2018 21:35:58 GMT

You might need to build a plug in for LogStash if you want to use eStreamer. To really figure it out we'd need to speak on the phone probably.

Re: Estreamer to Logstash?

babiojd01 — Wed, 18 Jul 2018 11:20:53 GMT

Its fine, I am currently pulling the alerts in via RSA netwitness using their API. It just would've been nice if this was as simple as pulling the CTA logs via the api or if pulling snort alerts from FMC was available via the api. Is that functionality coming any time soon? This type of alerting integration would simplified if so.