I recently went through the fun of installing and configuring the latest eStreamer 3.0 application on Splunk 7.0. I figure there are a lot of people interested in doing this so thought to summarize it on my blog. Here is a summary of the process.
The first step is to go into Splunk, click apps and choose to download new applications. You want to install the CiscoeStreamer eNcore for Splunk 3.0 and Cisco eStreamer enCore Dashboard for Splunk.
The next step is to create a certificate within Cisco Firepower that will be needed to be installed on Splunk. Log into Firepower, select System, Integration and select eStreamer. Choose Create Client. This is important … you want to name the certificate the IP address of your Splunk system. For my example, my Splunk is IP 198.19.10.15. Choose whatever password you see fit.
Save that certificate and click the green arrow to download the certificate. Also make sure you choose what you want
Next you need to locate and rename the file to client.pkcs12. Once down, you need to upload this file to a specific folder within Splunk. You can do this using WinSCP. For my install, the folder is located at /opt/splunk/etc/apps/TA-eStreamer/bin/encore. You will notice later that once put the certificate in this folder, Splunk will create a .key and .dat version of the file. You also will see configuration.log and estreamer.log appear. These are very helpful for troubleshooting. I suggest keeping this open so you can double click these files to see error messages if things don’t work out for you.
Once this is done, go back to Splunk. Now we need to create a data input before configuring eStreamer. From the Splunk dashboard, click Add Data
Now go through the steps to set this up. First select forward
Next select TCP/UDP. Fill out the port as 8302 and use the IP address for the connection.
Next change the Source Type to cisco:estreamer:data. You can find it by searching as I’m showing. Click review and save it.
Now you are ready to setup the eStreamer app. Click apps and choose to setup the eStreamer app. You will see you need to configure this app
You will want to uncheck “disable this app”, put the IP address of the Firepower Manager Center, Port as 8302, the path to your cert you uploaded, password you created and select Log Extra Data. I already set up my setup so here is a image that shows how it should look.
Click save and things should work. You can check by selecting the eStreamer dashboard app. You should see that now its running.
If you find it isn’t working, there are a few places to check. First, you can click the app and verify your configuration. Click apps and select setup again. Note that the app shows the exact location of where you should have placed the file as well as the file name. Also note if you click the checkbox to process the cert, you will first want to delete teh old cert data. I’ll explain this more later.
Another place to check is your data inputs. Click settings, data inputs and choose Scripts.
You will want to verify that the TAeStreamer scripts are enabled.
Another place to check is the logs via your connection WinSCP connection. The logs may have error messages such as a certificate error meaning your Firepower certificate expired or many other issues. If you choose to process the Certificate again during the eStreamer app setup, you will need to delete the .key and .dat version of the cert. The same goes for creating a new certificate in Firepower and replacing it. First delete those .key and .dat files, then try selecting Certificate again. Verify the new .key and .dat files are created by Splunk and see if things are working.
Hope this helps get your eStreamer running. If you still have problems, my guess is either you are not putting the files in the right folder, you have not removed the .key and .dat files, your scripts are disabled or something that is explained in the logs. Good luck!
5 thoughts on “Configuring Cisco Firepower eStreamer with Splunk 7”
I was looking for instructions on how to do this and was glad that you had tried it and it worked. What I noticed is that you configured three things, Cisco eStreamer eNcore Dahsboard for Splunk, TA-eStreamer and Cisco estreamer for splunk. I generated the certificate from FMC with and without the password and still it fails. My eStreamer dashboard is showing that it is currently disabled. I tried all variations, and nothing seemed to work. Since the last time I looked was yesterday, I noticed that it couldn’t process the certificate. Is it because there is not a valid ssl cert and only a self generated cert? Not sure you can answer my question.
What’s your FMC version? upgrade to 18.104.22.168 or later.
Great article. There were many things I overlooked and this article helped me solve part of the issue. As for the previous user comment, try running ./splencore test. This may assist you with processing your cert.
Very good and simple blog to follow steps. We followed it with no issue. Thanks.
FMC running 22.214.171.124.
I have done he splencore.sh test and it fails when i tasks for the pkcs12 password.
Error: EncoreException: Uable to process pkcs12 file. Possibly a password problem.
For testing did not use any password on pkcs12 file.