I think the issue is the current app doesn't pull in all of the new fields that v6 has to offer.

That is correct. The app was built against the 5.4 API specification. New stuff in 6.0 won't be forwarded.

What fields are you looking for? Do you know?

Doug

@douglashurd
Looking for an update to both the eStreamer app and accompanying "Splunk Add-on for Cisco FireSIGHT" that's compatible with FMC 6.2.x. Since the field names have changed, the TA is no longer fully CIM compliant with the Intrusion Detection data model...which means info also is missing from Enterprise Security dashboards. This is just one of many possible examples.

I am working on a Splunk implementation for a large Telco... I'll ask, but I'm pretty sure the comment will be all fields as they have an extensive Splunk deployment.

OK good to know. If you can share any specifics or the country it would help me build the case for a new eStreamer app. I can be emailed directly here: dohurd@cisco.com I track this stuff.

I am looking for all fields as we use Splunk for our long term storage since the Defense Center (FireSight..) can only hold about a day of our data at best.

We opened a ticket with Cisco and were pointed towards this bug entry: CSCuz95008

It appears to be that the Cisco eStreamer for Splunk App (currently v2.2.2) does not support the eStreamer user metadata format which was changed in 6.0. We are currently using Cisco FMC 6.1.0.1, Splunk 6.5.2 and eStreamer 2.2.2. As a result, our connection events reference a numerical value for the 'user' field instead of the actual username.

In case anyone else is looking for this, I can happily confirm that upgrading FMC and Firepower appliances to 6.2.0 resolves the issue with user IDs (CSCuz95008). We now have correct user IDs populated in the events.

I was able to upgrade our Firepower Appliance to 6.1.0.3 and the issue was resolved.

Does anyone know who we need to pressure to increase the priority of the new version. I lost detail of meaningful user ID's on the data stream from 5.X to 6.X SourceFire because cisco(SourceFire) changed the way the internal database deals with user ID's to allow for multiple user realms. all I see now in the stream is the numeric representation of what I assume is a unique identifier for the user in a one t many database.
I have taken it to my enterprise rep but have heard nothing. I also have a ticket in on the issue.

Thank you for your replies. It is good to see Cisco extends the functionality. Looking at the Integration side, ArcSight seems to have said that they do not support eStreamer in the future, as they want CEF. I am not surprised to see this development. I just hope that open interfaces remain as important for the players as they are for their customers.

To clarify. We built an eStreamer client that converts the binary output from the API's Server to text and into a CEF format. Arcsight is no longer building on their eStreamer client known as a 'Smart Connector'.

Arcsight has recently certified their Smart Connector to work with Firepower 5.4.x./ No new schema items supported but it does work with 5.4.

Are you seeing user ID's

A new Cisco eStreamer fro Splunk client/TA will be available in the end of April The current app does work with 6.x but there have been some reported issues.