Create a Splunk application that visualizes threat data provided by the Firepower Management Center (FMC) using the eStreamer API.
Completion time: 45 minutes
Basic understanding of Splunk and the Firepower Management Center
Basic Linux CLI knowledge
A DevNet Sandbox instance from the below link: https://devnetsandbox.cisco.com/RM/Diagram/Index/2dc005dc-a5bf-4b44-8ae2-074d61076b50?diagramType=Topology
After Completing this module, you will be able to:
-
Stream events from a FMC to a Splunk instance using eStreamer
-
Create Splunk apps that can visualize the data provided by the FMC
The Firepower Management Center’s (FMC) eStreamer API streams Firepower events to remote clients. Users can choose which event types they wish to stream and can stream events to multiple remote clients.
-
Navigate to the FMC UI
- For the DEVNET live sandbox VPN into the Sandbox and navigate to: https://10.10.20.40
-
Log in with your username and password
-
Navigate via the menu to: System > Integration > eStreamer
-
In the left-hand panel select that event types shown in the screenshot below and click ‘Save’
-
Click ‘Create Client’
-
Enter the ‘Hostname’ of the remote Splunk server that will receive the events
-
Click ‘Save’ to create the new Client
-
Once the client configuration is saved, click on the download icon to obtain the client certificate required to connect via the eNcore eStreamer client