Re: eStreamer config question

sdkeslar2012 · ‎03-04-2020

Trying to get data out of our FMC to our SIEM. How do you set up estreamer.conf to send the data to a tcp port? The operations guide mentions it, but not how to do it.....

Francesco Molino · ‎03-04-2020

Hi

Did you check this config guide:
https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/ConfiguringEstreamer.html

It explains all the configuration

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sdkeslar2012 · ‎03-05-2020

I did, and I got as far as having eStreamer write a local .json file. I'd like to be able to pipe the output directly to logstash, though, without having to write a file in the middle. I'm using the Python-based eStreamer client we downloaded from Cisco, and the manual you refer to is showing config for the Perl one. I'm just not clear on how to set up the outputters: section to push the data directly over udp to the logstash listener.

Francesco Molino · ‎03-05-2020

Ok you're looking for the config on logstash side?
I didn't do it with logstash yet. I can take a look ove the weekend

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sdkeslar2012 · ‎03-05-2020

No, the LS config seems fine. I'd like to eliminate writing the eStreamer data to disk. Having an issue where it pushes about 1.5GB of data, then just stops writing to the file. Status still shows it thinks it's processing events. I actually got it to try to send over UDP to LS, but then eStreamer was complaining that the data was too large.. arggh.