{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"2"},"type":{"value":"flat"}},"macroMetadata":{"macroId":{"value":"4a7c0f57-709b-42c4-a35e-d1ca7cba1005"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"03e421da-76de-4fdf-b53c-f6b17ad5e563"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Service description","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"Cisco Event Streamer","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.cisco.com/c/en/us/td/docs/security/firepower/660/api/eStreamer/EventStreamerIntegrationGuide_660.pdf"}}]},{"text":" (also known as Cisco eStreamer) allows you to stream Firepower System events to external client applications. You can stream host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection data from a Management Center and you can stream intrusion data from 7000 and 8000 series devices.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Data source description","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"paragraph","content":[{"text":"Currently, the Cisco eStreamer collector generates host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection events. The collector processes the eStreamer responses and sends them to the Devo platform, which will categorize all the information received on the following tables:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"d0a7d42a-700b-420f-9d04-de41aa5e56bd"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Group name","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"Data tables","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Metadata","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Context information for codes and numeric identifiers in the event records","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.metadata","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Packet","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Packets associated with intrusion events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.packet","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Intrusion","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Intrusion events generated by managed devices","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.intrusion","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"File malware","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Malware events","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.file_malware","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Correlation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Correlation and allow list events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.correlation","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Connection","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Connection events","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.connection","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"RNA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Realtime Network Awareness events","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.rna","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"RUA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Realtime User Awareness events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#555555"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.rua","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Event","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[250.0]},"content":[{"type":"paragraph","content":[{"text":"Additional data for intrusion events","type":"text","marks":[{"type":"textColor","attrs":{"color":"#58585b"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[351.0]},"content":[{"type":"paragraph","content":[{"text":"firewall.cisco.fmc_estreamer.event","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"For more info about the Cisco eStreamer, visit the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"Firepower System Event Streamer Integration Guide","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}},{"type":"link","attrs":{"href":"https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer/EventStreamerIntegrationGuide/Intro.html"}}]},{"text":".","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Setup","type":"text"}]},{"type":"paragraph","content":[{"text":"The Cisco eStreamer data collector works over the Cisco FMC (Firepower Management Center) devices. To start receiving data from the eStreamer protocol, you need to set up the eStreamer service in the FMC.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Setting up eStreamer","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Access the FMC web console.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to ","type":"text"},{"text":"System → Integration → eStreamer","type":"text","marks":[{"type":"strong"}]},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":3828,"id":"eb0ac8c4-74d1-4b84-b282-1c461fa7332f","collection":"contentId-313860101","type":"file","height":748}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check the events that you want to receive and save the changes.","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":3822,"id":"3a6b3f7e-14c0-4e04-80ca-8e7e265d0a0e","collection":"contentId-313860101","type":"file","height":1120}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a new client and save the certificate (and password) to use later in the collector. Using a password is mandatory. The IP to use is the IP of the collector, the client, not the one from FMC server.","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":3822,"id":"f4237ceb-2449-4950-81ab-f37c788dbfc2","collection":"contentId-313860101","type":"file","height":1120}}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Run the collector","type":"text"}]},{"type":"paragraph","content":[{"text":"Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (","type":"text"},{"text":"Cloud collector","type":"text","marks":[{"type":"underline"}]},{"text":"), or deploy and host the collector in your own machine using a Docker image (","type":"text"},{"text":"On-premise collector","type":"text","marks":[{"type":"underline"}]},{"text":").","type":"text"}]},{"type":"bodiedExtension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-ui-tabs-macro","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"5ce2abf1-fed9-4901-824b-a95d554ed8d5"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://d1bgdtsfe1sjdg.cloudfront.net/refinedtheme-for-cloud/macro-icons/tabs.png"}}],"title":"UI Tabs"}},"localId":"07ab2cd0-9648-424a-98c9-caaa1794ecc3"},"content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-tab","parameters":{"macroParams":{"title":{"value":"Cloud collector"}},"macroMetadata":{"macroId":{"value":"7958d4a471e74cf85658d0bfa9829434"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://d1bgdtsfe1sjdg.cloudfront.net/refinedtheme-for-cloud/macro-icons/tab.png"}}],"title":"UI Tab"}},"localId":"b5e1deba-5102-401e-ab87-d1752d1f073c"}},{"type":"paragraph","content":[{"text":"We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, ","type":"text"},{"text":"get in touch with us","type":"text","marks":[{"type":"link","attrs":{"href":"mailto:support@devo.com"}}]},{"text":" and we will guide you through the configuration.","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-tab","parameters":{"macroParams":{"title":{"value":"On-premise collector"}},"macroMetadata":{"macroId":{"value":"9dac797660507674036a630be347239a"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://d1bgdtsfe1sjdg.cloudfront.net/refinedtheme-for-cloud/macro-icons/tab.png"}}],"title":"UI Tab"}},"localId":"396eb10a-9d2d-4666-9d0f-54dc825dae71"}},{"type":"paragraph","content":[{"text":"This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Structure","type":"text"}]},{"type":"paragraph","content":[{"text":"The following directory structure should be created for being used when running the Cisco eStreamer collector:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n└── devo-collectors/\n └── cisco/\n ├── certs/\n │ ├── chain.crt\n │ ├── .key\n │ └── .crt\n └── config/ \n └── config-cisco.yaml","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Devo credentials","type":"text"}]},{"type":"paragraph","content":[{"text":"In Devo, go to ","type":"text"},{"text":"Administration → Credentials → X.509 Certificates","type":"text","marks":[{"type":"strong"}]},{"text":", download the ","type":"text"},{"text":"Certificate","type":"text","marks":[{"type":"strong"}]},{"text":", ","type":"text"},{"text":"Private key","type":"text","marks":[{"type":"strong"}]},{"text":" and ","type":"text"},{"text":"Chain CA","type":"text","marks":[{"type":"strong"}]},{"text":" and save them in ","type":"text"},{"text":"/devo-collectors/cisco/certs","type":"text","marks":[{"type":"code"}]},{"text":". Learn more about security credentials in Devo ","type":"text"},{"text":"here","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/NDT5/pages/57479321"}}]},{"text":".","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":1840,"id":"6e2d498a-409a-4ae3-8ac1-3bee1b427f14","collection":"contentId-313860101","type":"file","height":414}}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Editing the config-cisco.yaml file","type":"text"}]},{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"config-cisco.yaml","type":"text","marks":[{"type":"strong"}]},{"text":" file, replace the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":" and","type":"text","marks":[{"type":"code"}]},{"text":" ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" values and enter the ones that you got in the previous steps. In the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" placeholder, enter the value that you choose.","type":"text"}]},{"type":"codeBlock","content":[{"text":"globals:\n debug: false\n id: not_used\n name: cisco_col\n persistence:\n type: filesystem # File system persistence ON\n config:\n directory_name: state # Directory where the persistence will be saved in case of using filesystem\noutputs:\n devo_1:\n type: devo_platform\n config:\n address: collector-eu.devo.io # Cloud Devo config EU (for US use collector-eu.devo.io)\n port: 443\n type: SSL\n chain: chain.crt\n cert: .crt\n key: .key\ninputs:\n cisco_estreamer:\n id: # The value of this field will be used internally for having independent persistence areas\n enabled: true\n requests_per_second: 5 # Setup how many request API por second\n services: # Services available\n event_estreamer:\n request_period_in_seconds: 300 # Setting up time interval between API requests.\n servers:\n server1: \n start_time: 2020-01-01T00:00:00 # Collector Initial time. Must follow the format showed in the sample\n #force_start_time: true # OPTIONAL. Forces to retrieve the data from the given start_time\n host: 192.168.0.1 # Firewall Management Center IP\n pkcs12Filepath: credentials/ # eStreamer client certificate. Must be in \"credentials\" folder\n #pkcs12base64: credentials_in_base64 # Base64 client certificate string. Optional field\n pkcs12Password: mysecurepassword # Client certificate password/passphrase\n port: 8302 # eStreamer port\n tlsVersion: 1.2 # Used TLS version","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"start_time","type":"text","marks":[{"type":"code"}]},{"text":" value must have the following format:","type":"text"}]},{"type":"paragraph","content":[{"text":"“start_time” format: 0000-00-00T00:00:00","type":"text","marks":[{"type":"code"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Download the Docker image","type":"text"}]},{"type":"paragraph","content":[{"text":"The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"9b296c2c-10d6-474d-97b0-45c3720cb4d5"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"Collector Docker image","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"SHA-256 hash","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"collector-cisco-docker-image-1.2.0.tgz","type":"text","marks":[{"type":"link","attrs":{"href":"https://drive.google.com/uc?export=download&id=1yL-V6t_iIf2GJJUZ2jhI3jV8uHmrYOjt"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"1c538bb622f15926e5915a173e93b4e4a09156ca20a80534ae5b0fed869d7a2a","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Use the following command to add the Docker image to the system:","type":"text"}]},{"type":"codeBlock","content":[{"text":"gunzip -c collector-cisco-docker-image-.tgz | docker load","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with a proper value.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"The Docker image can be deployed on the following services:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Docker","type":"text"}]},{"type":"paragraph","content":[{"text":"Execute the following command on the root directory ","type":"text"},{"text":"/devo-collectors/cisco/","type":"text","marks":[{"type":"code"}]}]},{"type":"codeBlock","content":[{"text":"docker run \\\n--name collector-cisco \\\n--volume $PWD/certs:/devo-collector/certs \\\n--volume $PWD/credentials:/devo-collector/credentials \\\n--volume $PWD/config:/devo-collector/config \\\n--volume $PWD/state:/devo-collector/state \\\n--env CONFIG_FILE=config-cisco.yaml \\\n--rm -it docker.devo.internal/collector/cisco_collector:","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with a proper value.","type":"text"}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Docker Compose","type":"text"}]},{"type":"paragraph","content":[{"text":"The following Docker Compose file can be used to execute the Docker container. It must be created in the ","type":"text"},{"text":"/devo-collectors/cisco/","type":"text","marks":[{"type":"code"}]},{"text":" directory.","type":"text"}]},{"type":"codeBlock","content":[{"text":"version: '3'\nservices:\n collector-cisco:\n image: docker.devo.internal/collector/cisco_collector:${IMAGE_VERSION:-latest}\n container_name: collector-cisco\n volumes:\n - ./certs:/devo-collector/certs\n - ./config:/devo-collector/config\n - ./credentials:/devo-collector/credentials\n - ./state:/devo-collector/state\n environment:\n - CONFIG_FILE=${CONFIG_FILE:-config-cisco.yaml}","type":"text"}]},{"type":"paragraph","content":[{"text":"To run the container using docker-compose, execute the following command from the ","type":"text"},{"text":"/devo-collectors/cisco/","type":"text","marks":[{"type":"code"}]},{"text":" directory:","type":"text"}]},{"type":"codeBlock","content":[{"text":"IMAGE_VERSION= docker-compose up -d","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"paragraph","content":[{"text":"Some common points to check in case of problems:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Doublecheck that the IP of the FMC is the parameter ","type":"text"},{"text":"host","type":"text","marks":[{"type":"code"}]},{"text":", and the certificate was created for the IP of the client (the collector).","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The FMC has the API server listening and the IP address that is used can be checked by executing this command from a terminal in the FMC: ","type":"text"},{"text":"netstat -an | grep 8302","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"It is needed that both FMC and the collector have network visibility. Check if there is a firewall between the FMC and the collector. Port 8302 must be open for the collector. You can check it by installing ","type":"text"},{"text":"nmap","type":"text","marks":[{"type":"code"}]},{"text":" utility in the collector computer (for instance, in Ubuntu or Debian, ","type":"text"},{"text":"sudo apt install nmap","type":"text","marks":[{"type":"code"}]},{"text":"). Then execute from a terminal in the collector computer: ","type":"text"},{"text":"nmap -p8302 x.y.ip.fmc","type":"text","marks":[{"type":"code"}]},{"text":" where ","type":"text"},{"text":"x.y.ip.fmc","type":"text","marks":[{"type":"code"}]},{"text":" should be the IP of the FMC.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The certificate generated should use a password. A password-less certificate can cause an error in the collector","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"It is possible to discover if the FMC is rejecting the certificate. Execute in a terminal in the FMC the command ","type":"text"},{"text":"cat /var/log/messages | grep \"EventStreamer\" | grep \"Certificate\"","type":"text","marks":[{"type":"code"}]},{"text":" or ","type":"text"},{"text":"cat /var/log/messages | grep \"EventStreamer\" | grep \"Certificate\" | grep ERROR","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Other interesting points to check can be found ","type":"text"},{"text":"on this website.","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118071-troubleshoot-firesight-00.html"}}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Change log for 1.x.x","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"dd297006-ff72-41f4-833c-5d6f15488587"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[94.0]},"content":[{"type":"paragraph","content":[{"text":"Release","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[115.0]},"content":[{"type":"paragraph","content":[{"text":"Released on","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[109.0]},"content":[{"type":"paragraph","content":[{"text":"Release type","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[144.0]},"content":[{"type":"paragraph","content":[{"text":"Recommendations","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[94.0]},"content":[{"type":"paragraph","content":[{"text":"v1.1.0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[115.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1649808000000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[109.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"IMPROVEMENTS","localId":"594d5ba4-a924-4b9c-b58a-dbc93c6203fd"}}]},{"type":"paragraph","content":[{"type":"status","attrs":{"color":"yellow","style":"bold","text":"VULNS","localId":"392f5880-b12d-42ec-ad99-148398ca14bc"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"Improvements:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The underlay IFC SDK has been updated from ","type":"text"},{"text":"v1.1.2","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"v1.1.3","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Vulnerabilities mitigation:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"All ","type":"text"},{"text":"critical","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"high","type":"text","marks":[{"type":"code"}]},{"text":" vulnerabilities have been mitigated.","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[144.0]},"content":[{"type":"paragraph","content":[{"text":"Upgrade","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[94.0]},"content":[{"type":"paragraph","content":[{"text":"v1.1.2","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[115.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1653350400000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[109.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"IMPROVEMENTS","localId":"5539f04d-bbbd-4354-855f-1daaf369976c"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"Improvements:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Validated base64 variables from config.yaml. A new function was created to check if the base64 token in the configuration file has a valid format.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Added standard exceptions (InitVariablesError, PrePullError, PullError...) to improve the troubleshooting. The collector was throwing generic exceptions.","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[144.0]},"content":[{"type":"paragraph","content":[{"text":"Upgrade","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[94.0]},"content":[{"type":"paragraph","content":[{"text":"v1.1.3","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[115.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1657497600000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[109.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"red","style":"bold","text":"BUG FIX","localId":"30e595dc-b89d-4306-a383-29bddd02a50a"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[175.0]},"content":[{"type":"paragraph","content":[{"text":"Bug fixes:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fixed a bug that prevented the use of the functionality to read the Cisco certificate file from the /certificates folder when running on-prem.","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[144.0]},"content":[{"type":"paragraph","content":[{"text":"Recommended version","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"paragraph"}],"version":1}

Browser not supported