Please note that there is another Splunk app for Sourcefire which appears to no longer be maintained and does not support many current features. The Cisco eStreamer for Splunk app is different entirely and should be used instead.
Users of Splunk App for Enterprise Security will also want to download and install TA-sourcefire, which provides support for eStreamer data understanding by the Splunk ES app.
Please note this app was developed for, and tested on, Unix platforms only. Windows support is not currently available.
After you install Cisco eStreamer for Splunk, there are several things that you need to verify to ensure your eStreamer client functions properly and communicates with the Defense Center.
Begin by creating the client certificate for the Splunk server from the Defense Center web interface. You can accomplish by logging into the Defense Center with an Admin account and selecting System > Local > Registration, then clicking the Create Client button. Sourcefire recommends that you use the IP address of the Splunk server rather than its hostname. The password is optional. Download the pkcs12 certificate and copy it onto the Splunk server.
If you are wanting to collect flow/connection data, connection logging must be enabled in the Access Control Policy rules where the logging is desired. This also goes for the Security Intelligence events -- logging must be enabled on the Security Intelligence tab of the Access Control Policy.
Next, you must validate that the required Perl modules are on the system. The following Perl modules are required for the eStreamer client to run:
It is recommended to use the package management system of your OS/distribution to install these modules before relying on CPAN.
Next, you must validate that the eStreamer client functions correctly. Access the Splunk server terminal and navigate to the Cisco eStreamer for Splunk app directory. Next, enter the bin directory ($SPLUNK_HOME/etc/apps/eStreamer/bin/). From this directory, run the eStreamer client as follows:
./estreamer_client.pl
You should see the usage options present themselves. If you see errors, that means a required Perl module is missing. Look at the error message to determine which module is needed and install it. Continue this process until the client runs without errors.
Because the app is not hosted on the Splunk Apps site, new version notifications will not occur within Splunk. Periodically visit the app page on the Splunk Apps site to see if there is a new version available.
Before installing an upgrade to the app, it is recommended to disable the eStreamer client prior to the upgrade and to wait for it to stop before continuing. This can be done from the app Setup page. Ensure sure the "Upgrade app" check box is selected when installing the app package. Once the upgrade has been completed, and Splunk restarted, the client can be re-enabled from the Setup page.
After you have prepared the Splunk server as described above you can configure the app. You can reach the Setup page for the app in several ways, then configure the app from there.
The Setup page includes all of the details associated with the app, including how the eStreamer client connects to the Sourcefire Defense Center, such as Defense Center IP address, IP protocol (v4 or v6), the port, and the pkcs12 certificate details. Enter the details as appropriate, making sure to provide the full path to the pkcs12 certificate on the Splunk server.
There are three log options that are unchecked by default; Log packets, Log flows, and Log metadata. Packet logs make the packets associated with intrusion events easily accessible directly from Splunk searches but can consume large amounts of disk space quickly. The flow logs provide connection-level detail for the traffic traversing the network. The metadata logs show some of the eStreamer log detail, but don't directly provide value for event analysis.
After you complete the configuration, you can clear the Disable eStreamer client checkbox. Until the app is configured, this should remain checked.
At this point the app has been configured, and the eStreamer client should start within a minute or so. This is where you should start monitoring the eStreamer client for possible issues. The Help menu in the app includes a Client Status item that will provide you with a view of the status messages from the eStreamer client check script.
There are five dashboards provided by the app. Each of them gives a different high-level view of the data being provided by eStreamer from the Defense Center. It's important to note that each of the dashboards has a time selector at the top of the screen that allows for a change of the time period represented in the dashboard. Below is a brief description of each of the dashboards:
This dashboard provides an overview of the state of the eStreamer client, counts of the important eStreamer records being seen, and a timeline view of the records coming into Splunk.
This dashboard shows the distribution of events across the managed devices and security zones that are defined on each device. At the bottom of the dashboard is a sorted list of each device, and its associated interfaces and security zones. The devices with the most hits are displayed first.
This dashboard shows the distribution of events across the access control policies, access control policy rules, and intrusion policies. This middle of the dashboard is a sorted list of each device, and its associated policies and rules. The devices with the most hits are displayed first. The bottom of the dashboard provides the distribution of events across the correlation policies and rules.
This dashboard shows the geographic region of the source and destination addresses involved in events, where possible. It's important to note that IP addresses in the RFC1918 space, or other reserved block, will not properly map. Next come sorted lists of the most frequently involved source and destination addresses, then a sorted list showing the most frequently involved source and destination address pairs. Lastly comes the most frequently involved ports, both as a source and a destination.
This dashboard shows detail about network connections being seen by the sensors. It provides a breakdown by application protocols, client applications, web applications, and detail about sensor, policy, and rule hit distributions.
This dashboard shows the timeline of events coming into Splunk, as well as the distribution of events across the devices, priorities, impacts, and IPS block results. At the bottom of the dashboard is a sorted list of the most frequently hit signatures and signature classifications.
This dashboard shows the timeline of events coming into Splunk, as well as the distribution of events across the devices, actions, disposition, and file types. At the bottom of the dashboard is a sorted list of the most frequently seen files.
This dashboard shows the timeline of events coming into Splunk, as well as the distribution of events across the devices, policies, event types, and blocks. At the bottom of the dashboard is a sorted list of the most frequently seen correlations.
Cisco eStreamer for Splunk puts logs into a dedicated index named estreamer. This means that searches against the eStreamer data must use index=estreamer. There are also two distinct source types associated with this app:eStreamer and client_check. All eStreamer logs use the eStreamer source type, where only eStreamer client status messages use the client_check source type.
The Search menu provides quick access the different event searches, as well as IP address, port, and user profiling searches.
Cisco eStreamer for Splunk adds two items to the Event Actions menu available in searches:
This action will only work for PACKET eStreamer records (rec_type_simple=PACKET). It takes the values of the event_id and packet fields and decodes the hex encoded packet, returning a PCAP as a downloadable file using the event ID for the filename (for example, 5110.pcap). It is important to note that the Log packets setting must be enabled for this Event Action to be of use.
This action will work for any log containing the event_id field. It will open a new search looking for any logs with the same event ID value.
This action will work for any log containing the instance_id and connection_id fields. It will open a new search looking for any logs with the same connection values.
eStreamer for Splunk is copyright © 2013-2014 Cisco and/or its affiliates. All rights reserved. Sourcefire is now part of Cisco.
Updated documentation, added error handling around metadata cache handling
Added option to Settings enabling the logging of extra data associated with intrusion events for additional context.
Setup app to check for updates now the app is hosted on apps.splunk.com
Added EULA to About page, eStreamer client dies if running on Windows until fully supported, read config file in UTF-8 friendly way, added timestamp to debug messages
Fixed logic in eStreamer client test to try fetching data from established connection
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.