Cisco Firepower eStreamer protocol configuration options
To collect events in IBM QRadar from a Cisco Firepower eStreamer (Event Streamer) service, configure a log source to use the Cisco Firepower eStreamer protocol.
The Cisco Firepower eStreamer protocol is formerly known as Sourcefire Defense Center eStreamer protocol.
The Cisco Firepower eStreamer protocol is a passive outbound protocol. For more information about how this protocol streams events, see Understanding the eStreamer Application Protocol (https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer/EventStreamerIntegrationGuide/Protocol.html).
Events are streamed to QRadar to be processed after the Cisco Firepower Management Center DSM is configured.
| Parameter | Description |
|---|---|
| Protocol Configuration | Cisco Firepower eStreamer |
| Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Cisco Firepower eStreamer log source, ensure that you give each one a unique name. |
| Server Port |
The port number that the Cisco Firepower eStreamer services is configured to accept connection requests on. The default port that QRadar uses for Cisco Firepower eStreamer is 8302. |
| Keystore Filename | The directory path and file name for the keystore private key and associated certificate. By default, the import script creates the keystore file in the following directory: /opt/qradar/conf/estreamer.keystore |
| Truststore Filename | The directory path and file name for the truststore files. The truststore file contains the certificates that are trusted by the client. By default, the import script creates the truststore file in the following directory: /opt/qradar/conf/estreamer.truststore |
| Request Extra Data |
Select this option to request intrusion event extra data from Cisco Firepower Management Center. For example, extra data includes the original IP address of an event. |
| Domain |
Important: Domain Streaming Requests are supported for eStreamer version 6.x and later.
Leave the Domain field blank for eStreamer version 5.x.
The domain where the events are streamed from. The value in the Domain field must be a fully qualified domain. Therefore, all ancestors of the desired domain must be listed starting with the top-level domain and ending with the leaf domain that you want to request events from. Example: Global is the top-level domain, B is a second-level domain that is a subdomain of Global, and C is a third-level domain and a leaf domain that is a subdomain of B. To request events from C, type the following value for the Domain parameter: Global \ B \ C |