Cisco FireSIGHT eStreamer¶
Plixer Scrutinizer can be configured to receive flows from a Cisco FireSIGHT system via its Event Streamer (eStreamer) service.
After this integration is enabled, the following reports become available in Plixer Scrutinizer:
App Internet HTTP Host
Application E-Zone & Sub Type
Application I-Zone & Sub Type
Firewall List
Ingress and Egress Zones
User App HTTP Host
User App HTTP URL
User Application
Web App & CoS
Web App Event & Rule Details
Web App and Source IP
Important
The minimum supported eStreamer version is 5.4.
Registering Plixer Scrutinizer with FireSIGHT¶
Before setting up the integration in Plixer Scrutinizer, the server/collector must be registered under the FireSIGHT Defense Center:
Log into the FireSIGHT Defense Center.
For Firepower v5.4: Navigate to System > Local > Registration
For Firepower v6.x: Navigate to System > Integration > eStreamer
Enable all eStreamer Events, and then click Save.
Click the Create Client (+) button, and then enter the IP address of the Plixer Scrutinizer collector.
[OPTIONAL] Enter a password.
Locate the Plixer Scrutinizer client in the list, and then click Download to download the client certificate.
Upload the client certificate to the
/home/plixer/scrutinizer/files/directory on the Plixer Scrutinizer appliance.
Configuring Plixer Scrutinizer as an eStreamer client¶
After the Plixer Scrutinizer collector has been registered, it will need to be configured to start receiving FireSIGHT flows:
Start an SSH session with the Plixer Scrutinizer collector.
Edit the the
/etc/firesight.inifile to reflect your Plixer Scrutinizer collector and FireSIGHT configuration:CollectorIp- Plixer Scrutinizer collector IP addressCollectorPort- Plixer Scrutinizer receiving port for FireSIGHT flowsfdi_templates- Path where export templates are defined (default:/home/plixer/scrutinizer/files/fdi_templates/firesight.fdit)host- FireSIGHT server addressport- FireSIGHT server outbound portpkcs12_file- Location of the FireSIGHT eStreamer client certificate (default:/home/plixer/scrutinizer/files/<Plixer_Scrutinizer_IP>.pkcs12)pkcs12_password- Password entered during registration process; leave blank if no password was setfs_bind_addr- eStreamer client address (collector IP address)export_to- Collector name set at the beginning of the file
Note
The Plixer Scrutinizer eStreamer client configuration will automatically be updated whenever
firesight.iniis modified.Editing the provided
firesight.inifile is recommended, but a new file can also be created in the same directory. A sample file (firesight.ini.sample) can be found in/home/plixer/scrutinizer/files.Multiple collectors and FireSIGHT servers with unique names can be set up within the same
firesight.inifile. A collector can be configured to receive flows from more than one source and a FireSight server can send flows to more than one destination.
The eStreamer client will export flows to the collector at CollectorIP and CollectorPort.
fdi_templatesis the path where the export templates are defined. Use the location provided in the example.The eStreamer client will connect to the FireSIGHT at the FireSIGHT host and port.
pkcs12_fileis the location of the updated FireSIGHT eStreamer client certificate.pkcs12_passwordis the certificate password, or blank if a password wasn’t specified.fs_bind_addris the eStreamer client address registered with FireSIGHT (Plixer Scrutinizer collector IP address). It must be a bindable address that can route to the eStreamer service.export_totells the eStreamer client which collector or collectors will receive exported flows.In the
/home/plixer/scrutinizer/env/local_env file, change the value forexport PLIXER_NO_FIRESEER=1to0.Restart the Collector using the command:
service plixer_flow_collector restart
After the restart, Plixer Scrutinizer should start receiving FireSIGHT flows within 1 minute. For assistance with the configuration process or troubleshooting help, contact Plixer Technical Support.