Cisco eStreamer collector
- Juan Tomás Alonso Nieto (Deactivated)
Service description
The Cisco Event Streamer (also known as Cisco eStreamer) allows you to stream Firepower System events to external client applications. You can stream host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection data from a Management Center and you can stream intrusion data from 7000 and 8000 series devices.
Data source description
Currently, the Cisco eStreamer collector generates host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection events. The collector processes the eStreamer responses and sends them to the Devo platform, which will categorize all the information received on the following tables:
Group name | Details | Data tables |
|---|---|---|
Metadata | Context information for codes and numeric identifiers in the event records |
|
Packet | Packets associated with intrusion events |
|
Intrusion | Intrusion events generated by managed devices |
|
File malware | Malware events |
|
Correlation | Correlation and allow list events |
|
Connection | Connection events |
|
RNA | Realtime Network Awareness events |
|
RUA | Realtime User Awareness events |
|
Event | Additional data for intrusion events |
|
For more info about the Cisco eStreamer, visit the Firepower System Event Streamer Integration Guide.
Setup
The Cisco eStreamer data collector works over the Cisco FMC (Firepower Management Center) devices. To start receiving data from the eStreamer protocol, you need to set up the eStreamer service in the FMC.
Setting up eStreamer
Access the FMC web console.
Go to System → Integration → eStreamer
Check the events that you want to receive and save the changes.
Create a new client and save the certificate (and password) to use later in the collector. Using a password is mandatory. The IP to use is the IP of the collector, the client, not the one from FMC server.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Troubleshooting
Some common points to check in case of problems:
Doublecheck that the IP of the FMC is the parameter
host, and the certificate was created for the IP of the client (the collector).The FMC has the API server listening and the IP address that is used can be checked by executing this command from a terminal in the FMC:
netstat -an | grep 8302It is needed that both FMC and the collector have network visibility. Check if there is a firewall between the FMC and the collector. Port 8302 must be open for the collector. You can check it by installing
nmaputility in the collector computer (for instance, in Ubuntu or Debian,sudo apt install nmap). Then execute from a terminal in the collector computer:nmap -p8302 x.y.ip.fmcwherex.y.ip.fmcshould be the IP of the FMC.The certificate generated should use a password. A password-less certificate can cause an error in the collector
It is possible to discover if the FMC is rejecting the certificate. Execute in a terminal in the FMC the command
cat /var/log/messages | grep "EventStreamer" | grep "Certificate"orcat /var/log/messages | grep "EventStreamer" | grep "Certificate" | grep ERROROther interesting points to check can be found on this website.
Change log for 1.x.x
Release | Released on | Release type | Details | Recommendations |
|---|---|---|---|---|
| Apr 13, 2022 | IMPROVEMENTS VULNS | Improvements:
Vulnerabilities mitigation:
|
|
| May 24, 2022 | IMPROVEMENTS | Improvements:
|
|
| Jul 11, 2022 | BUG FIX | Bug fixes:
|
|