API - Sourcefire eStreamer
eStreamer is an API published by Sourcefire (now part of Cisco) for streaming intrusion and vulnerability data from Sourcefire IDS/IPS servers. The System Monitor Agent can collect eStreamer intrusion events and convert them into LogRhythm logs. Each time the Agent connects to the eStreamer server, it collects intrusion event data from the oldest to the newest. The Agent keeps the current event in its position state file so that the same event is not collected more than once. The Agent supports one eStreamer server per message source and configuration file.
Device Details
Vendor | Sourcefire / Cisco |
|---|---|
Device Type | Sourcefire Defense Center |
Supported Model Name/Number | N/A |
Supported Software Version(s) | 4.10, 5.1, 5.1.1, 5.2, 5.3, 5.3.1, 5.4, 6.0, 6.1, 6.2, 6.3, 6.6, 6.7, 7.0, 7.1, and 7.2. (does not support 6.4 or 6.5) |
Collection Method | API |
Configurable Log Output? | No |
Log Source Type | API - Sourcefire eStreamer |
Log Processing Policy | LogRhythm Default |
Exceptions | LogRhythm does not support 6.4 or 6.5. |
Prerequisites
The TLS collection mechanism used by the agent connects to the eStreamer server, stream intrusion and vulnerability data, and retains the last event received from the server by state tracking. The following information is required for this process to function properly and should be gathered prior to configuring collection:
- The permanent host name or IP address of the eStreamer server that will stream intrusion and vulnerability data to the agent.
- A client certificate from the eStreamer server for the LogRhythm System Monitor Agent. It is recommended that the client certificate be created with a password.
- For version 4.10, see the eStreamer documentation Configuring eStreamer on the eStreamer Server.
- For version 5.1 and above, see the eStreamer documentation Adding Authentication for eStreamer Clients.
- The identifying information (possibly host name or IP address, see eStreamer documentation) required by the eStreamer server of the LogRhythm System Monitor Agent that will collect intrusion and vulnerability data from the eStreamer server.
- The LogRhythm System Monitor Agent used to collect the intrusion and vulnerability data from the eStreamer server.
Configure the estreamer.ini File
The eStreamer interface is configured by modifying the estreamer.ini file in the System Monitor's config folder, which is usually in the following directory:
C:\Program Files\LogRhythm\LogRhythm System Monitor\config\.
The following settings are available in that file:
| Setting | Default Value | Description |
|---|---|---|
| ServerAddress | CHANGE_THIS | Host name or IP address of eStreamer server. |
| ServerPort | 8302 | TCP port of the eStreamer server. |
| ClientAddress | CHANGE_THIS | IP address or index of the interface to use for retrieving messages from the eStreamer server. This is either a static IP v4/v6 address (recommended) or the zero-based index of the interface to use from a list of all available interfaces. The default is to select an interface from all available IPv4 interfaces. To select an address from all available IPv6 interfaces, append '|6' to the index number (e.g., use '0|6' to specify the first available IPv6 interface). Valid values are:
|
| ClientPort | 4444 | The port number to use for retrieving messages from the eStreamer server. Ports 0 though 65535 are allowed. 0 indicates that the client should use a system-assigned (ephemeral) port value. |
| Certificate | CHANGE_THIS | The eStreamer client SSL certificate file path – generated by the eStreamer registration tool. The client certificate must be copied to this location. |
| Password | CHANGE_THIS | Password for client SSL certificate. The password must be encrypted using the lrcrypt command line utility. Leave empty if the client SSL certificate has no password — this is NOT recommended. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. |
| ServerVersion | 4.10 | The version of eStreamer server protocol to use. Currently accepted versions are 4.10, 5.1, 5.1.1, 5.2, 5.3, 5.3.1, 5.4, 6.0, 6.1, 6.2, 6.3, 6.6, 6.7, 7.0, 7.1, and 7.2 (does not support 6.4 or 6.5). |
| EnforceServerCertificateTrustedAuthorityCheck | False | If set to False, the check will be performed, and a warning issued if the check fails, but the connection will be maintained. If set to True, the Agent will disconnect from the eStreamer server if this check fails. |
| EnforceServerCertificateRevocationCheck | False | Enables or disables the eStreamer server Certificate Revocation Check. If set to False, the check will be performed, and a warning issued if the check fails, but the connection will be maintained. If set to True, the Agent will disconnect from the eStreamer server if this check fails. |
| EnforceServerCertificateNameMatch | False | Enables or disables the eStreamer server certificate name match. If set to False, the check will be performed, and a warning issued if the check fails, but the connection will be maintained. If set to True, the Agent will disconnect from the eStreamer server if this check fails. |
| ConnectionEvents | False | Enables or disables the collection of eStreamer Connection Events records. If set to False, Connection Events records will not be requested from the eStreamer server. If set to True, the Agent will request Connection Events records from the eStreamer server. |
| StartupDelayInSeconds | 60 | If the server needs to be queried when the System Monitor is started, it will wait this long before running the query. Valid range is 0 to 300. |
| SslProtocol | CHANGE_THIS | SSL Protocol to use for the Socket Connection. Currently accepted protocols are TLS, TLS 1.1 and TLS 1.2. If none are mentioned, the default with be either of them. |
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Sourcefire eStreamer. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, in the File Path box, type or paste the full path to the appropriate eStreamer configuration file (usually estreamer.ini).