Configuring a Log Source for Cisco FireSIGHT Management Center Events
JSA does not automatically discover Cisco FireSIGHT Management Center events. You must configure a log source in JSA.
- Log in to JSA.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
- Click the Log Sources icon, and then click Add.
- From the Log Source Type list, select Cisco FireSIGHT Management Center.
- From the Protocol Configuration list, select Cisco Firepower eStreamer.
- Configure the following parameters:
The IP address or host name of the FireSIGHT Management Center device.
The port number that the FireSIGHT Management Center device is configured to accept connection requests on. The default port that JSA uses for the FireSIGHT Management Center device is 8302.
The directory path and file name for the keystore private key and associated certificate. By default, the import script creates the keystore file in the following directory:
The directory path and file name for the truststore files. The truststore file contains the certificates that are trusted by the client. By default, the import script creates the truststore file in the following directory:
Request Extra Data
Select this option to request intrusion event extra data from FireSIGHT Management Center. For example, extra data includes the original IP address of an event.
Note: Domain Streaming Requests are only supported for eStreamer version 6.x. Leave the Domain field blank for eStreamer version 5.x.
The domain where the events are streamed from.
The value in the Domain field must be a fully qualified domain. This means that all ancestors of the desired domain must be listed starting with the top-level domain and ending with the leaf domain that you want to request events from.
Global is the top level domain, B is a second level domain that is a subdomain of Global, and C is a third-level domain and a leaf domain that is a subdomain of B. To request events from C, type the following value for the Domain parameter:
Global \ B \ C
- Click Save.