9 Replies Latest reply on May 29, 2015 8:33 AM by aszotek

    Sourcefire eStreamer

    kwharris

      Folks, can someone give me some input/instructions for setting up eStreamer data source from Defense Center to ESM.  I have already set up the data source on ESM and configured the eStreamer client on Defense Center as well as imported the certificate into the ESM data source from DC.  When I try to test the connection I am getting a failure, do I need to configured port 8305 within the interfaces of ESM somewhere?  Could it be a step I missed?

        • 1. Re: Sourcefire eStreamer
          Peter M

          I moved this to SIEM where hopefully you'll get a quicker response - Moderator

          • 2. Re: Sourcefire eStreamer
            kwharris

            Thank you.

            • 3. Re: Sourcefire eStreamer
              esher72

              I had it working just fine until an upgrade to my Sourcefires broke the integration. It ended up being resolved after upgrading the SIEM to 9.4.0 and recreating my datasource. I'm not sure what your error is. I currently have it working with the following settings.

               

              Defense Center:

              Configure eStreamer to point to your Receiver by going to System-->Local-->Registration. Check boxes as below.

              eStreamer.PNG

               

              ESM:

              Pick settings as in the following screenshot. Enter Name, IP of Defense Center, and password used when setting up the eStreamer connection. Upload cert and test connection.

              SIEM_eStreamer.PNG

              • 4. Re: Sourcefire eStreamer
                achmadrivaii

                i try to configure like your suggestion, and succed when upload .pkcs

                but when i try connect, it show log error like this

                sourcefire.JPG

                 

                please help,

                • 5. Re: Sourcefire eStreamer
                  aszotek

                  There are few ways to mess estreamer setup, so I am only guessing here:

                  - did you generate a certificate on SF DC for your receiver? You must use destination receiver IP in the process

                  - did you use a password for this certificate? I had no luck to test connection while using the password, recommend to try without password.

                   

                  you shouldn't need to open port 8305 unless you have a firewall between receiver and Defence Centre.

                  • 6. Re: Sourcefire eStreamer
                    achmadrivaii

                    1. yes i did, and i can upload it successfully

                    2. i try with using password, and without password the result still same (test connection unsuccessfull)

                     

                    any suggestion?

                    • 7. Re: Sourcefire eStreamer
                      esher72

                      The timeout part of that message makes me think they cannot communicate with each other. Maybe run a packet capture while you are trying to connect to see if there is communication happening?

                       

                      My eStreamer source has been broken since I upgraded to 9.5 back in April. I had some error message that I can't remember. Tier 3 got in there on a phone home and worked on it and it worked for about a week and then stopped again and has not worked since. They are still working on it. My eStreamer source has broken with every upgrade though. It seems to be a very finicky set up.

                      • 8. Re: Sourcefire eStreamer
                        aszotek

                        Estreamer process is dying frequently, this is a known bug. Just restart estreamer process 'killall estreamer' (compare estreamer PID before and after).

                         

                        estreamer and estreamertest are two different executables, estreamertest was broken in some older 9.4.x version, don't remember which one... also only 9.5.0 supports some features of estreamer v5.x, e.g. sensor names.

                        • 9. Re: Sourcefire eStreamer
                          aszotek

                          - log in to receiver's CLI

                          - less /var/log/estreamer.log.XX (the highest number is the last log file you want to review)

                          - go to the end of that file, check if you are getting any records

                          if not:

                          - run 'tq' command, search for your estreamer data source, note it's ID (2nd column)

                          - ls -l  /var/log/data/inline/thirdparty.logs/[ID from above step]/in/*

                          - if the filesize = 0, contact support

                          - else copy the data file somewhere (e.g. /tmp/)

                          - msgdump -i /tmp/data.*

                          That's how you verify what events are sent by SF DC.