icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco eStreamer Client for Splunk
SHA256 checksum (cisco-estreamer-client-for-splunk_222.tgz) 11a3cf4cc2a70811cdd19acaca8adf4e4112972b35551f97117238bc2925fcb5 SHA256 checksum (cisco-estreamer-client-for-splunk_221.tgz) 19bed56f9aa5c35f651bf4e7bd104ee00ec27a63271e8e9f5b4df491d99b2175 SHA256 checksum (cisco-estreamer-client-for-splunk_220.tgz) 63e7491da53e1c6174619bd687ea3be4686cc94b14083d4389a62a4ed193375f SHA256 checksum (cisco-estreamer-client-for-splunk_217.tgz) a8e34ea6fc42f1a7593b096cb3ca64c6a75649302e5e9e487283336489ac719f SHA256 checksum (cisco-estreamer-client-for-splunk_216.tgz) 2daf177edfd23a2d25e78a46b9c21de4eec6a59cfbe7e63af6267083454e8ba1 SHA256 checksum (cisco-estreamer-client-for-splunk_215.tgz) c5cb9682626334d29d6150f4dc6f8f82ba377fc42960987500d00ca0086fe664
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Cisco eStreamer Client for Splunk

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
Cisco eStreamer log collection and comprehensive selection of dashboards optimized for Sourcefire System 5.2+ and Splunk 6.

NEW ESTREAMER-SPLUNK SOLUTION IS AVAILABLE FOR SECURE FIREWALL (f.k.a. FIREPOWER) CUSTOMERS RUNNING FMC VERSION 6.X HERE: https://splunkbase.splunk.com/app/3662/

The supported event types are:
• Intrusion Events
• Intrusion Event Packet Data (optional)
• Intrusion Event Extra Data
• Malware Events
• File Events
* Connection Logs and Security Intelligence Events
• Correlation and White List Events
• Impact Flag Alerts
• Connection Events (optional)

Please note this app was developed for, and tested on, Unix platforms only. Windows support is not currently available.

This app is only community supported -- no official support is available. Be sure to visit the Documentation tab for initial assistance with setup, configuration, important notes, and a version change log.

eStreamer for Splunk is copyright © 2013-2014 Cisco and/or its affiliates. All rights reserved. Sourcefire is now part of Cisco.

Important Notes

Please note that there is another Splunk app for Sourcefire which appears to no longer be maintained and does not support many current features. The Cisco eStreamer for Splunk app is different entirely and should be used instead.

Users of Splunk App for Enterprise Security will also want to download and install TA-sourcefire, which provides support for eStreamer data understanding by the Splunk ES app.


Preparation

Please note this app was developed for, and tested on, Unix platforms only. Windows support is not currently available.

After you install Cisco eStreamer for Splunk, there are several things that you need to verify to ensure your eStreamer client functions properly and communicates with the Defense Center.

Begin by creating the client certificate for the Splunk server from the Defense Center web interface. You can accomplish by logging into the Defense Center with an Admin account and selecting System > Local > Registration, then clicking the Create Client button. Sourcefire recommends that you use the IP address of the Splunk server rather than its hostname. The password is optional. Download the pkcs12 certificate and copy it onto the Splunk server.

If you are wanting to collect flow/connection data, connection logging must be enabled in the Access Control Policy rules where the logging is desired. This also goes for the Security Intelligence events -- logging must be enabled on the Security Intelligence tab of the Access Control Policy.

Next, you must validate that the required Perl modules are on the system. The following Perl modules are required for the eStreamer client to run:

  • Getopt::Long
  • Socket
  • IO::Socket::SSL
  • NetAddr::IP
  • Storable
  • Socket6 (Only required if IPv6 is used)
  • IO::Socket::INET6 (Only required if IPv6 is used)

It is recommended to use the package management system of your OS/distribution to install these modules before relying on CPAN.

Next, you must validate that the eStreamer client functions correctly. Access the Splunk server terminal and navigate to the Cisco eStreamer for Splunk app directory. Next, enter the bin directory ($SPLUNK_HOME/etc/apps/eStreamer/bin/). From this directory, run the eStreamer client as follows:

./estreamer_client.pl

You should see the usage options present themselves. If you see errors, that means a required Perl module is missing. Look at the error message to determine which module is needed and install it. Continue this process until the client runs without errors.

Upgrading the App

Because the app is not hosted on the Splunk Apps site, new version notifications will not occur within Splunk. Periodically visit the app page on the Splunk Apps site to see if there is a new version available.

Before installing an upgrade to the app, it is recommended to disable the eStreamer client prior to the upgrade and to wait for it to stop before continuing. This can be done from the app Setup page. Ensure sure the "Upgrade app" check box is selected when installing the app package. Once the upgrade has been completed, and Splunk restarted, the client can be re-enabled from the Setup page.

Configuration

After you have prepared the Splunk server as described above you can configure the app. You can reach the Setup page for the app in several ways, then configure the app from there.

The Setup page includes all of the details associated with the app, including how the eStreamer client connects to the Sourcefire Defense Center, such as Defense Center IP address, IP protocol (v4 or v6), the port, and the pkcs12 certificate details. Enter the details as appropriate, making sure to provide the full path to the pkcs12 certificate on the Splunk server.

There are three log options that are unchecked by default; Log packets, Log flows, and Log metadata. Packet logs make the packets associated with intrusion events easily accessible directly from Splunk searches but can consume large amounts of disk space quickly. The flow logs provide connection-level detail for the traffic traversing the network. The metadata logs show some of the eStreamer log detail, but don't directly provide value for event analysis.

After you complete the configuration, you can clear the Disable eStreamer client checkbox. Until the app is configured, this should remain checked.

At this point the app has been configured, and the eStreamer client should start within a minute or so. This is where you should start monitoring the eStreamer client for possible issues. The Help menu in the app includes a Client Status item that will provide you with a view of the status messages from the eStreamer client check script.

Dashboards

There are five dashboards provided by the app. Each of them gives a different high-level view of the data being provided by eStreamer from the Defense Center. It's important to note that each of the dashboards has a time selector at the top of the screen that allows for a change of the time period represented in the dashboard. Below is a brief description of each of the dashboards:

eStreamer Summary

This dashboard provides an overview of the state of the eStreamer client, counts of the important eStreamer records being seen, and a timeline view of the records coming into Splunk.

Sensor Summary

This dashboard shows the distribution of events across the managed devices and security zones that are defined on each device. At the bottom of the dashboard is a sorted list of each device, and its associated interfaces and security zones. The devices with the most hits are displayed first.

Policy Summary

This dashboard shows the distribution of events across the access control policies, access control policy rules, and intrusion policies. This middle of the dashboard is a sorted list of each device, and its associated policies and rules. The devices with the most hits are displayed first. The bottom of the dashboard provides the distribution of events across the correlation policies and rules.

Host Summary

This dashboard shows the geographic region of the source and destination addresses involved in events, where possible. It's important to note that IP addresses in the RFC1918 space, or other reserved block, will not properly map. Next come sorted lists of the most frequently involved source and destination addresses, then a sorted list showing the most frequently involved source and destination address pairs. Lastly comes the most frequently involved ports, both as a source and a destination.

Flow Summary

This dashboard shows detail about network connections being seen by the sensors. It provides a breakdown by application protocols, client applications, web applications, and detail about sensor, policy, and rule hit distributions.

Intrusion Event Summary

This dashboard shows the timeline of events coming into Splunk, as well as the distribution of events across the devices, priorities, impacts, and IPS block results. At the bottom of the dashboard is a sorted list of the most frequently hit signatures and signature classifications.

File / Malware Event Summary

This dashboard shows the timeline of events coming into Splunk, as well as the distribution of events across the devices, actions, disposition, and file types. At the bottom of the dashboard is a sorted list of the most frequently seen files.

Correlation Event Summary

This dashboard shows the timeline of events coming into Splunk, as well as the distribution of events across the devices, policies, event types, and blocks. At the bottom of the dashboard is a sorted list of the most frequently seen correlations.

Searching

Cisco eStreamer for Splunk puts logs into a dedicated index named estreamer. This means that searches against the eStreamer data must use index=estreamer. There are also two distinct source types associated with this app:eStreamer and client_check. All eStreamer logs use the eStreamer source type, where only eStreamer client status messages use the client_check source type.

The Search menu provides quick access the different event searches, as well as IP address, port, and user profiling searches.

Event Actions

Cisco eStreamer for Splunk adds two items to the Event Actions menu available in searches:

eStreamer: Save PCAP

This action will only work for PACKET eStreamer records (rec_type_simple=PACKET). It takes the values of the event_id and packet fields and decodes the hex encoded packet, returning a PCAP as a downloadable file using the event ID for the filename (for example, 5110.pcap). It is important to note that the Log packets setting must be enabled for this Event Action to be of use.

eStreamer: View Event

This action will work for any log containing the event_id field. It will open a new search looking for any logs with the same event ID value.

eStreamer: View Connection

This action will work for any log containing the instance_id and connection_id fields. It will open a new search looking for any logs with the same connection values.


Change Log

  • 1.0 (30-Oct-2013) Initial release
  • 1.0.1 (13-Dec-2013) Updated client_check.py script to check if the eStreamer client was started successfully
  • 1.0.2 (16-Jan-2014) Reorder PATH in estreamer_client.pl to prioritize away from the Splunk included openssl binary (fix for CentOS/RHEL)
  • 1.0.3 (21-Jan-2014) Updated app.conf to NOT check for updates since the app is not hosted on Splunk's site, changed app name
  • 1.0.4 (18-Feb-2014) Updated Help to include need for NetAddr::IP Perl module, added error details to problems starting messages
  • 1.0.5 (10-Mar-2014) Updated Help to include Upgrading the App section, fix HOPOPT for Unknown IP protos, add debug logging option, added FAQs page
  • 2.0 (24-Mar-2014) Updated eStreamer libraries to 5.3, revamped Settings screen, add config change detection, pkcs12 exist check, add flow/connection logging and dashboards, optimizing event processing, added CIM field aliases, added View Connection event action, added metadata persistence, many other bug fixes and enhancements
  • 2.1 (04-Apr-2014) Improved client error handling, moved RNA collection into a seperate process, add bookmark migraition to support new methodology, improved File / Malware dashboard and log processing
  • 2.1.1 (08-Apr-2014) Fixed bug in sha256 lookups for File / Malware events, File / Malware Events dashboard fixes, added shell script for GUI-less config (config_nogui.sh)
  • 2.1.2 (20-Apr-2014) Sec Intel event handling improvements, now translates monitor rules in connection logs, lots of Splunk CIM compliance improvements (lookups, field aliases, etc), renamed Help page to Documentation, added FAQs, added Check for Updates link in Help menu, updated File / Malware Summary dashboard, fixed Profile IP Address page
  • 2.1.3 (08-May-2014) Fixes a bug where eStreamer client would sit idle if it lost connection to eStreamer server
  • 2.1.4 (29-May-2014) Fixed logic in eStreamer client connection test, made certificate problems more apparent in PKCS12 SDK code
  • 2.1.5 (04-Jun-2014) Re-fixed logic in eStreamer client test to try fetching data from established connection
  • 2.1.6 (30-Jun-2014) Added EULA to About page, eStreamer client dies if running on Windows until fully supported, read config file in UTF-8 friendly way, added timestamp to debug messages
  • 2.1.7 (21-Jul-2014) Setup app to check for updates now the app is hosted on apps.splunk.com
  • 2.2.0 (29-Jul-2014) Added option to log the extra data associated with intrusion events for additional context
  • 2.2.1 (14-Aug-2014) Updated documentation, added error handling around metadata cache handling
  • 2.2.2 - 07-Sep-2016 - Updated the SSL socket creation stanzas to force 'TLSv1' on the SSL connection

eStreamer for Splunk is copyright © 2013-2014 Cisco and/or its affiliates. All rights reserved. Sourcefire is now part of Cisco.

Release Notes

Version 2.2.2
Sept. 23, 2016
Version 2.2.1
Aug. 14, 2014

Updated documentation, added error handling around metadata cache handling

Version 2.2.0
July 29, 2014

Added option to Settings enabling the logging of extra data associated with intrusion events for additional context.

Version 2.1.7
July 22, 2014

Setup app to check for updates now the app is hosted on apps.splunk.com

Version 2.1.6
July 9, 2014

Added EULA to About page, eStreamer client dies if running on Windows until fully supported, read config file in UTF-8 friendly way, added timestamp to debug messages

Version 2.1.5
July 8, 2014

Fixed logic in eStreamer client test to try fetching data from established connection


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.