I recently went through the fun of installing and configuring the latest eStreamer 3.0 application on Splunk 7.0. I figure there are a lot of people interested in doing this so thought to summarize it on my blog. Here is a summary of the process.
The first step is to go into Splunk, click apps and choose to download new applications. You want to install the CiscoeStreamer eNcore for Splunk 3.0 and Cisco eStreamer enCore Dashboard for Splunk.
The next step is to create a certificate within Cisco Firepower that will be needed to be installed on Splunk. Log into Firepower, select System, Integration and select eStreamer. Choose Create Client. This is important … you want to name the certificate the IP address of your Splunk system. For my example, my Splunk is IP 198.19.10.15. Choose whatever password you see fit.
Next you need to locate and rename the file to client.pkcs12. Once down, you need to upload this file to a specific folder within Splunk. You can do this using WinSCP. For my install, the folder is located at /opt/splunk/etc/apps/TA-eStreamer/bin/encore. You will notice later that once put the certificate in this folder, Splunk will create a .key and .dat version of the file. You also will see configuration.log and estreamer.log appear. These are very helpful for troubleshooting. I suggest keeping this open so you can double click these files to see error messages if things don’t work out for you.
You will want to uncheck “disable this app”, put the IP address of the Firepower Manager Center, Port as 8302, the path to your cert you uploaded, password you created and select Log Extra Data. I already set up my setup so here is a image that shows how it should look.
If you find it isn’t working, there are a few places to check. First, you can click the app and verify your configuration. Click apps and select setup again. Note that the app shows the exact location of where you should have placed the file as well as the file name. Also note if you click the checkbox to process the cert, you will first want to delete teh old cert data. I’ll explain this more later.
Another place to check is the logs via your connection WinSCP connection. The logs may have error messages such as a certificate error meaning your Firepower certificate expired or many other issues. If you choose to process the Certificate again during the eStreamer app setup, you will need to delete the .key and .dat version of the cert. The same goes for creating a new certificate in Firepower and replacing it. First delete those .key and .dat files, then try selecting Certificate again. Verify the new .key and .dat files are created by Splunk and see if things are working.
Hope this helps get your eStreamer running. If you still have problems, my guess is either you are not putting the files in the right folder, you have not removed the .key and .dat files, your scripts are disabled or something that is explained in the logs. Good luck!