Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3269
Views
5
Helpful
3
Replies

Help Integrating Firepower in Splunk Enterprise Security with eStreamer

Skjalg Eggen
Level 1
Level 1

‎04-20-2017 11:59 AM - edited ‎03-12-2019 06:21 AM

Hi!

I'm trying to PoC Splunk Enterprise Security as SIEM and integrate Firepower logs from Firepower Management server.

This proves not a trivial task.

I have the eStreamer installed on our heavy forwarder and Splunk add-on for Cisco FireSIGHT on the search head

eStreamer setup is easily set up on our heavy forwarder. The problem lies with mapping fields and values over to the CIM model to use in Enterprise security.

the Splunk eStreamer app is obsolete in its config, supporting up to 5.4. we are on 6.0.1 now and moving to 6.2 soon.

there are more fields in the logs from 6.0+ which is not supported in current eStreamer app. File_actions for example.

I would appreciate a nudge in the right direction as how to work out the kinks.

Is there someone here using Enterprise security and has resolved these issues?

Right now I have alot of unknown malware events, since all file eventes come up as unknown. The same in connection events where unknown is the order of the day.

This basically makes Splunk Enterprise Security unusable as a SIEM if you are running firepower.

I think it could be an easy fix, but I do not have the hours availible in the PoC to investigate and develop a new eStreamer configuration.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

tim.r.jones
Level 1
Level 1

‎08-11-2017 10:07 AM

I even have a Splunk ES Pro Svcs consultant engaged and he's throwing fits about the "unknown" values in eStreamer events.

0 Helpful

Skjalg Eggen
Level 1
Level 1
In response to tim.r.jones

‎11-16-2017 06:33 AM

got most of the kinks worked our, but still some unknown events here and there.

 

I'm going to implement the new Ncore eStreamer TA that is compatible with 6.0+ FMC and see if we cant get this thing working 100%

jsnyc
Level 1
Level 1

‎01-30-2018 11:06 AM

Hi, 

 

Splunk has recently released an update to the app and add-on which may solve your issues:

 

Cisco eStreamer eNcore Add-on for Splunk:

https://splunkbase.splunk.com/app/3662/

 

Cisco Firepower eNcore App for Splunk:

https://splunkbase.splunk.com/app/3663/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card