Splunk Enterprise Security

How to connect multiple instances of Cisco Firepowers to Splunk using eStreamer enCore

sshukla2505
New Member

Hi,
So, I have got 2 instances of Cisco Firepower management centers. I need to connect these 2 FMCs to our eStreamer eNcore Add-on for Splunk. I have gone through almost all of the answers related to this issue, but couldn't find an accepted/working resolution.

In our infra, the "client.pkcs12" is same for both the FMCs; thereby, implying that I can use the same file to connect to both the FMCs. However, the configuration set-up of "eStreamer eNcore Add-On" restricts me to enter only 1 FMC's IP address.
Question-1: Is there way I can enter multiple FMC's IP addresses ......or
Question-2: Is there a way that we can configure our Splunk forwarder to receive logs from 2 different FMCs.

0 Karma

danbrook
Explorer

Similar setup for me but I have 1 FMC and 1 Indexer. I have multiple domain on the FMC and am trying to send logs to seperate indexes. Can the same client.pkcs12 file and password be used under each domain?

0 Karma

abwe
New Member

@nrduren1115 can you provide the way?

0 Karma

ahmadjabr
Engager

could you give us how did you do it?
,how did you do it??

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I think the approach they have taken is to have instances of the same add-on [ you need to have diff names though] and then configure them with diff/same pkcs file to pull data from the FMC. This would work as splunk will see them as two diff data source]. You would need to ensure local/apps.conf, inputs.conf are updated to have unique app name and path (monitor stanza) for the data files to be ingested to splunk.

0 Karma

abwe
New Member

@lakshman239 We tried that but it failed to give a result, have you tried something like that before???

0 Karma

lakshman239
SplunkTrust
SplunkTrust

nope. haven't tried.

0 Karma

nrduren1115
Explorer

We recently did this and have it working. You can clone the app and then set up duplicate file and script inputs for the second FMC.

alt text

0 Karma

cemx11
New Member

Hello,

How do you clone the app? Just copy/paste the folders?

0 Karma

czsmunt
Observer

Did you ever figure this out?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...