Splunk® Supported Add-ons

Splunk Add-on for Cisco FireSIGHT

Configure inputs for the Splunk Add-on for Cisco FireSIGHT

The Splunk Add-on for Cisco FireSIGHT can collect eStreamer data using the eStreamer for Splunk app, but you can also collect syslog data from 4.X Sourcefire appliances and open-source Snort IDS. There are two ways to capture the syslog data.

  1. Use a syslog aggregator with a Splunk forwarder installed on it. Configure a monitor input to monitor the file or files generated by the aggregator.
  2. Create a TCP or UDP input to capture the data sent on the port you have configured in your device.

Monitor input

If you are using a syslog aggregator, install a forwarder on that machine and set up a monitor input to monitor the file or files that are generated. Refer to Source types for the Splunk Add-on for Cisco FireSIGHT to set your source type to match your data source. The CIM mapping and dashboard panels are dependent on these source types.

See Monitor files and directories in the Getting Data In manual for information about setting up a monitor input.

TCP/UDP input

In the Splunk platform node handling data collection, configure a TCP or UDP input to match your configurations in your device. Refer to Source types for the Splunk Add-on for Cisco FireSIGHT to set your source type to match your data source. The CIM mapping and dashboard panels are dependent on these source types.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP ports in the Getting Data In manual.

Validate data collection

Once you have configured your inputs, run a search for the source type or types that you expect.

Last modified on 24 September, 2019
Install the Splunk Add-on for Cisco FireSIGHT   Troubleshoot the Splunk Add-on for Cisco FireSIGHT

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters