Solved: Estreamer to Logstash?

babiojd01 · ‎05-24-2018

Does anyone have a sample config they have used to retrieve event streamer data to logstash? Seems to be the only way to get relevant alerting beings there is no api access to retrieve signature alerts or anything like that.

dohurd · ‎07-17-2018

You might need to build a plug in for LogStash if you want to use eStreamer. To really figure it out we'd need to speak on the phone probably.

View solution in original post

SeSc · ‎05-25-2018

Do you need it also for IDS events? Cause I have the problem that the new FTD IDS sensor seems not to send any IDS events, only ACP Events...

babiojd01 · ‎05-25-2018

Our environment is purely Firepower on top of ASA. Currently no production FTD so hopefully whatever you have works?

dohurd · ‎05-25-2018

There is a sort of generic estreamer client called eNcore which supports plug ins. The base client code simple collects all the events from the estreamer queue on the FMC and converts this binary data to text and writes it to disk. There is a Splunk, CEF and JSON plugins and a few 3rd parties have written their own. Maybe a logstash plugin could be written. Please email me at dohurd@cisco.com if you want to know more

dohurd · ‎05-25-2018

There is a sort of generic estreamer client called eNcore which supports plug ins. The base client code simple collects all the events from the estreamer queue on the FMC and converts this binary data to text and writes it to disk. There is a Splunk, CEF and JSON plugins and a few 3rd parties have written their own. Maybe a logstash plugin could be written. Please email me at dohurd@cisco.com if you want to know more

babiojd01 · ‎05-26-2018

https://developer.cisco.com/site/firepower/ so I downloaded this to pull the events via estreamer. The csv file part doesn't seem to work. The only thing that does work is sending the alerts to syslog or send them to print screen. If I could get the events via json I know how to parse them into logstash.

dohurd · ‎06-29-2018

If help is still needed on eStreamer and Logstash please email me directly at dohurd@cisco.com. IDS event data as well as AMP and Connection events ARE available directly off the FTD device.

babiojd01 · ‎05-27-2018

I have figured out how to use the sdk to get the estreamer output to syslog but I don't see alerts for malware events. I do see them when the output is switched print. Anyone have any insight?

babiojd01 · ‎07-11-2018

I thankfully received the encore client from Doug at cisco but for some reason or another i only receive some alerts not every thing coming from the FirePower Manager. I ran specific tests and I see my snort alerts go out via syslog to the syslog server but estreamer isn't send them? Very strange behavior.

dohurd · ‎07-17-2018

You might need to build a plug in for LogStash if you want to use eStreamer. To really figure it out we'd need to speak on the phone probably.

babiojd01 · ‎07-18-2018

Its fine, I am currently pulling the alerts in via RSA netwitness using their API. It just would've been nice if this was as simple as pulling the CTA logs via the api or if pulling snort alerts from FMC was available via the api. Is that functionality coming any time soon? This type of alerting integration would simplified if so.