Cisco FireSIGHT eStreamer

Plixer Scrutinizer can be configured to receive flows from a Cisco FireSIGHT system via its Event Streamer (eStreamer) service.

After this integration is enabled, the following Reports will be available in Plixer Scrutinizer:

  • App Internet HTTP Host

  • Application E-Zone & Sub Type

  • Application I-Zone & Sub Type

  • Firewall List

  • Ingress and Egress Zones

  • User App HTTP Host

  • User App HTTP URL

  • User Application

  • Web App & CoS

  • Web App Event & Rule Details

  • Web App and Source IP

Important

The minimum supported eStreamer version is 5.4.

Registering Plixer Scrutinizer with FireSIGHT

Before setting up the integration in Plixer Scrutinizer, the server/Collector must be registered under the FireSIGHT Defense Center:

  1. Log into the FireSIGHT Defense Center.

    For Firepower v5.4: Navigate to System > Local > Registration

    For Firepower v6.x: Navigate to System > Integration > eStreamer

  2. Enable all eStreamer Events and click the Save button.

  3. Click on the Create Client (+) button and enter the IP address of the Plixer Scrutinizer Collector.

  4. [OPTIONAL] Enter a password.

  5. Locate the Plixer Scrutinizer client in the list and click the Download button to download the client certificate.

  6. Upload the client certificate to the /home/plixer/scrutinizer/files/ directory on the Plixer Scrutinizer appliance.

Configuring Plixer Scrutinizer as an eStreamer client

After the Plixer Scrutinizer Collector has been registered, it will need to be configured to start receiving FireSIGHT flows:

  1. Start an SSH session with the Plixer Scrutinizer Collector.

  2. Edit the the /home/plixer/scrutinizer/files/firesight.ini file to reflect your Plixer Scrutinizer Collector and FireSIGHT configuration:

    • CollectorIp - Plixer Scrutinizer Collector IP address

    • CollectorPort - Plixer Scrutinizer receiving port for FireSIGHT flows

    • fdi_templates - Path where export templates are defined (default: /home/plixer/scrutinizer/files/fdi_templates/firesight.fdit)

    • host - FireSIGHT server address

    • port - FireSIGHT server outbound port

    • pkcs12_file - Location of the FireSIGHT eStreamer client certificate (default: /home/plixer/scrutinizer/files/<Plixer_Scrutinizer_IP>.pkcs12)

    • pkcs12_password - Password entered during registration process; leave blank if no password was set

    • fs_bind_addr - eStreamer client address (Collector IP address)

    • export_to - Collector name set at the beginning of the file

    Note

    Editing the provided firesight.ini file is recommended, but a new file can also be created in the specified directory. The Plixer Scrutinizer eStreamer client configuration will automatically be updated whenever the file is modified.

    Important

    Multiple Collectors and FireSIGHT servers with unique names can be set up within the same firesight.ini file. A Collector can be configured to receive flows from more than one source and a FireSight server can send flows to more than one destination.

  3. The eStreamer client will export flows to the collector at CollectorIP and CollectorPort.

  4. fdi_templates is the path where the export templates are defined. Use the location provided in the example.

  5. The eStreamer client will connect to the FireSIGHT at the firesight host and port.

  6. pkcs12_file is the location FireSIGHT certificate was updated.

  7. pkcs12_password is the certificate password, or blank if a password wasn’t specified.

  8. fs_bind_addr is the eStreamer client address registered with FireSIGHT (Plixer Scrutinizer collector IP address). It must be a bindable address that can route to the eStreamer service.

  9. export_to tells the eStreamer client which collector or collectors will receive exported flows.

Important

There can be more than one collector and/or firesight, but they must have different names. A single collector can receive flows from multiple firesights. A firesight exporter can send flows to multiple collectors.

  1. In the /home/plixer/scrutinizer/env/local_env file, change the value for export PLIXER_NO_FIRESEER=1 to 0.

  2. Restart the Collector using the command:

service plixer_flow_collector restart

After the restart, Plixer Scrutinizer should start receiving FireSIGHT flows within 1 minute. For assistance with the configuration process or troubleshooting help, contact Plixer Technical Support.