Document toolboxDocument toolbox

Cisco eStreamer collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
7 min read
[ 1 Service description ] [ 2 Data source description ] [ 3 Setup ] [ 4 Run the collector ]

Service description

The Cisco Event Streamer (also known as Cisco eStreamer) allows you to stream Firepower System events to external client applications. You can stream host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection data from a Management Center and you can stream intrusion data from 7000 and 8000 series devices.

Data source description

Currently, the Cisco eStreamer collector generates host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection events. The collector processes the eStreamer responses and sends them to the Devo platform, which will categorize all the information received on the following tables:

Group name

Details

Data tables

Group name

Details

Data tables

Metadata

Context information for codes and numeric identifiers in the event records

firewall.cisco.fmc_estreamer.metadata

Packet

Packets associated with intrusion events

firewall.cisco.fmc_estreamer.packet

Intrusion

Intrusion events generated by managed devices

firewall.cisco.fmc_estreamer.intrusion

File malware

Malware events

firewall.cisco.fmc_estreamer.file_malware

Correlation

Correlation and allow list events

firewall.cisco.fmc_estreamer.correlation

Connection

Connection events

firewall.cisco.fmc_estreamer.connection

RNA

Realtime Network Awareness events

firewall.cisco.fmc_estreamer.rna

RUA

Realtime User Awareness events

firewall.cisco.fmc_estreamer.rua

Event

Additional data for intrusion events

firewall.cisco.fmc_estreamer.event

For more info about the Cisco eStreamer, visit the Firepower System Event Streamer Integration Guide.

Setup

The Cisco eStreamer data collector works over the Cisco FMC (Firepower Management Center) devices. To start receiving data from the eStreamer protocol, you need to set up the eStreamer service in the FMC.

Setting up eStreamer

  1. Access the FMC web console.

  2. Go to System → Integration → eStreamer

  3. Check the events that you want to receive and save the changes.

  4. Create a new client and save the certificate (and password/passphrase if configured) to be used later in the collector.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).