Cisco FireSIGHT eStreamer

This add-on is available for purchase. For more information, please contact us.

The eStreamer add-on can be used with NXLog to collect events from a Cisco FireSIGHT System. The Cisco Event Streamer (eStreamer) API is used for communication between NXLog and the FireSIGHT System. This section describes how to set up FireSIGHT and NXLog and start collecting log events.

For more information about eStreamer, see FireSIGHT System eStreamer Integration Guide v5.4 on Cisco.com. To download the full Firepower eStreamer SDK, see eStreamer SDK Version 6.1 on Cisco Community.

Configuring the Cisco Defense Center

To receive events from the Cisco Defense Center, a client must be added to the eStreamer Event Configuration.

  1. Log in to the Management Center and navigate to System > Integration > eStreamer.

    Depending on the Cisco system, the eStreamer configuration and client creation page location may differ. In other systems, the same page can be found under System > Local > Registration > eStreamer.
  2. Select the event types that should be sent and then click Save.

    cisco estreamer conf
  3. Enter an IP address or a resolvable name in the Hostname field and optionally a password. Click Save.

    cisco estreamer client
  4. Click on the download arrow to download the certificate for the client. Place the PKCS12 certificate in the same directory as the Perl client.

Configuring the eStreamer script

The estreamer.pl client is based on Cisco’s ssl_test.pl reference client which is included in the FireSIGHT eStreamer SDK.

  1. Make sure the following required Perl modules, which are part of the FireSIGHT eStreamer SDK, are present in the same directory: SFStreamer.pm, SFPkcs12.pm, SFRecords.pm, and SFRNABlocks.pm.

  2. Edit the script and set the configuration options. The available options include the following.

    • The server address and port

    • The file name and password used for the PKCS12 certificate

    • Enable/disable verbose output

    • The start time for receiving events: using bookmarks (by setting to bookmark) ensures that no events will be lost or duplicated.

    • The output mode: typically this is set to \&send_nxlog; however there is a \&send_stdout_raw output where all data and meta-data is printed to standard output (for debugging purposes).

  3. In the $OUTPUT_PLUGIN section of the script, the type of event request can be customised. Refer to the FireSIGHT System eStreamer Integration Guide for more information.

  4. Finally, the output mode subroutine \&send_nxlog might require modification if the presentation of the data needs to be altered or alternative data or metadata need to be included or excluded. The \&send_stdout subroutine can be used to show the output sent to NXLog and the \&send_stdout_raw can be used to show the full contents of the data stream. Remember to set the $conf_opt->{output} variable to the appropriate subroutine.

Configuring NXLog

The im_perl module is used to execute the Perl script, which in turn connects to the server and receives events. The Perl script directly sets various NXLog internal fields from the event data collected from eStreamer.

Example 1. Collecting events from eStreamer

This configuration uses the im_perl module to execute the Perl script. The resulting internal NXLog fields are then converted to JSON format before being written to file with om_file.

nxlog.conf
<Extension _json>
    Module      xm_json
</Extension>

<Input estreamer>
    Module      im_perl
    PerlCode    /opt/nxlog/bin/estreamer.pl
</Input>

<Output file>
    Module      om_file
    File        '/tmp/output.log'
    Exec        to_json();
</Output>

<Route estreamer_to_file>
    Path        estreamer => file
</Route>

The following is a sample output of intrusion detection events in JSON format.

Output sample
{
  "EventTime": "2018-1-24 11:50:23.939847",
  "AlertPriority": 3,
  "SourceIp": "192.168.99.2",
  "SourcePort": 0,
  "DestinationIp": "192.168.98.2",
  "DestinationPort": 0,
  "EventMessage": "PROTOCOL-ICMP Echo Reply",
  "EventReceivedTime": "2018-01-24 11:50:29",
  "SourceModuleName": "perl",
  "SourceModuleType": "im_perl"
}
{
  "EventTime": "2018-1-24 11:50:34.499867",
  "AlertPriority": 3,
  "SourceIp": "192.168.98.2",
  "SourcePort": 0,
  "DestinationIp": "192.168.99.2",
  "DestinationPort": 0,
  "EventMessage": "PROTOCOL-ICMP Echo Reply",
  "EventReceivedTime": "2018-01-24 11:50:35",
  "SourceModuleName": "perl",
  "SourceModuleType": "im_perl"
}
An ICMP Echo Reply is not typically an intrusion detection event; however, it was a convenient way to simulate one.