I moved this to SIEM where hopefully you'll get a quicker response - Moderator
I had it working just fine until an upgrade to my Sourcefires broke the integration. It ended up being resolved after upgrading the SIEM to 9.4.0 and recreating my datasource. I'm not sure what your error is. I currently have it working with the following settings.
Configure eStreamer to point to your Receiver by going to System-->Local-->Registration. Check boxes as below.
Pick settings as in the following screenshot. Enter Name, IP of Defense Center, and password used when setting up the eStreamer connection. Upload cert and test connection.
There are few ways to mess estreamer setup, so I am only guessing here:
- did you generate a certificate on SF DC for your receiver? You must use destination receiver IP in the process
- did you use a password for this certificate? I had no luck to test connection while using the password, recommend to try without password.
you shouldn't need to open port 8305 unless you have a firewall between receiver and Defence Centre.
1. yes i did, and i can upload it successfully
2. i try with using password, and without password the result still same (test connection unsuccessfull)
The timeout part of that message makes me think they cannot communicate with each other. Maybe run a packet capture while you are trying to connect to see if there is communication happening?
My eStreamer source has been broken since I upgraded to 9.5 back in April. I had some error message that I can't remember. Tier 3 got in there on a phone home and worked on it and it worked for about a week and then stopped again and has not worked since. They are still working on it. My eStreamer source has broken with every upgrade though. It seems to be a very finicky set up.
Estreamer process is dying frequently, this is a known bug. Just restart estreamer process 'killall estreamer' (compare estreamer PID before and after).
estreamer and estreamertest are two different executables, estreamertest was broken in some older 9.4.x version, don't remember which one... also only 9.5.0 supports some features of estreamer v5.x, e.g. sensor names.
- log in to receiver's CLI
- less /var/log/estreamer.log.XX (the highest number is the last log file you want to review)
- go to the end of that file, check if you are getting any records
- run 'tq' command, search for your estreamer data source, note it's ID (2nd column)
- ls -l /var/log/data/inline/thirdparty.logs/[ID from above step]/in/*
- if the filesize = 0, contact support
- else copy the data file somewhere (e.g. /tmp/)
- msgdump -i /tmp/data.*
That's how you verify what events are sent by SF DC.