Cisco eStreamer

Description

This documentation outlines the process of ingesting data from Cisco eStreamer into Observo.ai. It details the steps to configure Cisco eStreamer to stream security event data and how to set up Observo.ai to receive and process this data using Observo eStreamer client. The guide ensures seamless integration between Cisco FMC(Firewall Management Center) and Observo.ai for real-time security analytics.

Solution

Prerequisite

Before starting the integration, ensure you have completed the following setup in Observo:

Configure Socket Source

  1. Log in to Observo AI:

    • Navigate to the Sources tab.

    • Click the Add Source button and select Create New.

    • Choose Socket from the list of available sources to begin configuration.

  2. Configuration

    Create a Socket source with the following configuration:

    • Name: eStreamer socket

    • Description (Optional): socket configuration for eStreamer log ingestion

    • Socket Address: default address is 0.0.0.0, port can be customized as needed. Port should be in range[10000-10200]

      Example

      0.0.0.0:10010

    • The type of socket to use: Listen on a TCP Port

    • Decoding Codec: Raw Bytes

  3. TLS Configuration (Optional)

  4. Save and Test Configuration:

    • Save the configuration settings in Observo AI.

Observo Client Configuration Steps

Get client.pkcs12 file from Cisco FMC

  • Navigate to System > Integrations > eStreamer

  • Click create client

  • In the eStreamer Event Configuration dialog

    • Select the security events you want to stream (Connection Events, Intrusion Events, etc.)

    • Configure other settings as needed

  • Enter your IP or hostname

  • Set password (optional but recommended)

  • Click save

  • Click on download icon next to your newly added client (save as client.pkcs12)

NOTE: 10.1.100.20 is a test server. Please change the IP according to the needs.

Install and Configure Observo eStreamer Client

  • Download tar file

  • Extract the file to your preferred directory

  • Run the installation script:

./install.sh

  • Place the client.pkcs12 file (Downloaded from Cisco FMC) in the client directory

  • Update the config.json file with your environment-specific details:

    • host : Your Cisco FMC hostname/IP address

    • port: eStreamer port (typically 8302)

    • Pkcs12_password: Password set during client creation (if any)

    • Pkcs12_file: Name of your certificate file (e.g., client.pkcs12)

    • logger_host: IP configured for Nginx nodeport

    • logger_port: Port configured for Nginx nodeport

  • Before starting the client, validate your configuration:

./observo_estreamer_client.sh validate

  • This command will verify:

    • Configuration file syntax

    • Certificate file accessibility

    • Network connectivity to FMC

    • Observo socket connectivity

  • Once validation passes, start the eStreamer client:

./observo_estreamer_client.sh start

  • The client will:

    • Connect to your Cisco FMC using the provided certificates

    • Write the received data to syslog

Verify Data Flow

  • Check the logs to ensure successful connection to FMC

  • Verify in Observo that data is being received through the socket source

  • Monitor the data flow and troubleshoot any connectivity issues

TroubleShooting

Certificate Issues: Ensure the pkcs12 file is correctly placed and the password is accurate

Network Connectivity: Verify firewall rules allow communication between client and FMC

Port Conflicts: Ensure the configured ports are available and not blocked

Configuration Errors: Use the validate command to identify configuration issues

Resources:

PreviousCrowdStrike S3NextDatadog

Last updated

Was this helpful?