Cisco FireSIGHT#
Scrutinizer can be configured to receive flows from a Cisco FireSIGHT system via its Event Streamer (eStreamer) service.
After this integration is enabled, the following reports become available in Scrutinizer:
App Internet HTTP Host
Application E-Zone & Sub Type
Application I-Zone & Sub Type
Firewall List
Ingress and Egress Zones
User App HTTP Host
User App HTTP URL
User Application
Web App & CoS
Web App Event & Rule Details
Web App and Source IP
Important
The minimum supported eStreamer version is 5.4.
Registering Scrutinizer with FireSIGHT#
Before setting up the integration in Scrutinizer, the server/collector must be registered under the FireSIGHT Defense Center:
Log into the FireSIGHT Defense Center.
For Firepower v5.4: Navigate to System > Local > Registration
For Firepower v6.x: Navigate to System > Integration > eStreamer
Enable all eStreamer Events, and then click Save.
Click the Create Client (+) button, and then enter the IP address of the Scrutinizer collector.
[OPTIONAL] Enter a password.
Locate the Scrutinizer client in the list, and then click Download to download the client certificate.
Upload the client certificate to the
/home/plixer/scrutinizer/files/directory on the Scrutinizer appliance.
Configuring Scrutinizer as an eStreamer client#
After the Scrutinizer collector has been registered, it will need to be configured to start receiving FireSIGHT flows:
Start an SSH session with the Scrutinizer collector.
Edit the
/etc/firesight.inifile to reflect your Scrutinizer collector and FireSIGHT configuration:CollectorIp- Scrutinizer collector IP addressCollectorPort- Scrutinizer receiving port for FireSIGHT flowsfdi_templates- Path where export templates are defined (default:/home/plixer/scrutinizer/files/fdi_templates/firesight.fdit)host- FireSIGHT server addressport- FireSIGHT server outbound portpkcs12_file- Location of the FireSIGHT eStreamer client certificate (default:/home/plixer/scrutinizer/files/<Plixer_Scrutinizer_IP>.pkcs12)pkcs12_password- Password entered during registration process; leave blank if no password was setfs_bind_addr- eStreamer client address (collector IP address)export_to- Collector name set at the beginning of the file
Note
The Scrutinizer eStreamer client configuration will automatically be updated whenever
firesight.iniis modified.Editing the provided
firesight.inifile is recommended, but a new file can also be created in the same directory. A sample file (firesight.ini.sample) can be found in/home/plixer/scrutinizer/files.Multiple collectors and FireSIGHT servers with unique names can be set up within the same
firesight.inifile. A collector can be configured to receive flows from more than one source and a FireSight server can send flows to more than one destination.
The eStreamer client will export flows to the collector at CollectorIP and CollectorPort.
fdi_templatesis the path where the export templates are defined. Use the location provided in the example.The eStreamer client will connect to the FireSIGHT at the FireSIGHT host and port.
pkcs12_fileis the location of the updated FireSIGHT eStreamer client certificate.pkcs12_passwordis the certificate password, or blank if a password wasn’t specified.fs_bind_addris the eStreamer client address registered with FireSIGHT (Scrutinizer collector IP address). It must be a bindable address that can route to the eStreamer service.export_totells the eStreamer client which collector or collectors will receive exported flows.In the
/home/plixer/scrutinizer/env/local_env file, change the value forexport PLIXER_NO_FIRESEER=1to0.Restart the Collector using the command:
service plixer_flow_collector restart
After the restart, Scrutinizer should start receiving FireSIGHT flows within 1 minute. For assistance with the configuration process or troubleshooting help, contact Plixer Technical Support.