Integrating Splunk and Firepower's eStreamer

In this blog post, I'll be writing about adding Firepower logs to Splunk. With Firepower, we will utilize the built in eStreamer to send this data securely to our Splunk server. In order to configure this on you own Splunk server, you will need to download and install the following apps on your Splunk server:

  • Cisco eStreamer for Splunk - https://splunkbase.splunk.com/app/1629/#/details
  • Splunk Add-on for Cisco FireSight - https://splunkbase.splunk.com/app/1808/

After you have those apps installed on Splunk, you'll also need to make sure you have the following Perl modules installed on the Ubuntu machine:

  • Getopt::Long
  • Socket
  • IO::Socket::SSL
  • NetAddr::IP
  • Storable
  • Socket6 (Only required if IPv6 is used)
  • IO::Socket::INET6 (Only required if IPv6 is used)

An easy way for find these modules and make sure they are installed is to issue the following command in terminal:

apt-cache search <module-name>

After you find the module you want through the search, install it with the following command:

sudo apt-get install <package-you-want-to-install>

If you want to ensure that the modules are all installed and eStreamer client is working, you can test it with the following command: 

sudo /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl

If you receive options instead of an error, you are good.

The next thing you will want to do is go your Firepower Management Center and navigate to System>Integration>eStreamer. From here, click on Create Client

On the next page, configure the IP address of the Splunk server. You may optionally also add a shared password here. Click Save when you are done. 

On the next page, click the downward arrow next to the hostname of your new client to downloat the client certificate. This will be important later. 

While on this same screen in Firepower, check the boxes for the events you would like to sent to Splunk via the eStreamer and then click Save

In Splunk, let's start by creating our data input before we configure the eSteamer. From the main dashboard, go to Add Data and choose TCP/UDP. On this page, choose the following:

  • TCP
  • Port: 8302
  • Only access connection from: <IP of the Firepower Management Center>

Click Next.

On the next page, change the following:

  • Source type: eStreamer
  • Host: IP

Click Review when done and save it. 

 

Next, go back to the main Splunk dashboard and click on the eStreamer app on the side. It should ask you to configure the application. Click Configure to app setup page.

On the eStreamer for Splunk: Settings page, do the following:

  • Uncheck the box for Disable eStreamer client
  • Add the Firepower Management Center IP address in the Defense Center field
  • Upload the client certificate you previously downloaded to a location on the Splunk server and define that path under the Certificate path and filename field
  • Add the password if you chose to make one
  • Check the boxes for logging options that you feel comfortable with.

Click Save when completed.

When this completed correctly, you should be seeing logs starting to show up in your eStreamer dashboard as shown below.