Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring a Log Source for Cisco FireSIGHT Management Center Events

 

JSA does not automatically discover Cisco FireSIGHT Management Center events. You must configure a log source in JSA.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon, and then click Add.
  5. From the Log Source Type list, select Cisco FireSIGHT Management Center.
  6. From the Protocol Configuration list, select Cisco Firepower eStreamer.
  7. Configure the following parameters:

    Parameter

    Description

    Server Address

    The IP address or host name of the FireSIGHT Management Center device.

    Server Port

    The port number that the FireSIGHT Management Center device is configured to accept connection requests on. The default port that JSA uses for the FireSIGHT Management Center device is 8302.

    Keystore Filename

    The directory path and file name for the keystore private key and associated certificate. By default, the import script creates the keystore file in the following directory: /opt/qradar/conf/estreamer.keystore

    Truststore Filename

    The directory path and file name for the truststore files. The truststore file contains the certificates that are trusted by the client. By default, the import script creates the truststore file in the following directory: /opt/qradar/conf/estreamer.truststore

    Request Extra Data

    Select this option to request intrusion event extra data from FireSIGHT Management Center. For example, extra data includes the original IP address of an event.

    Domain

    Note: Domain Streaming Requests are only supported for eStreamer version 6.x. Leave the Domain field blank for eStreamer version 5.x.

    The domain where the events are streamed from.

    The value in the Domain field must be a fully qualified domain. This means that all ancestors of the desired domain must be listed starting with the top-level domain and ending with the leaf domain that you want to request events from.

    Example:

    Global is the top level domain, B is a second level domain that is a subdomain of Global, and C is a third-level domain and a leaf domain that is a subdomain of B. To request events from C, type the following value for the Domain parameter:

    Global \ B \ C

  8. Click Save.