Incorrect documentation for Cisco FTD\estreamer #2584
Assignees
Comments
|
is there an update? |
|
Hi @harv-qq I've looked into the props.conf file for the Cisco eStreamer for Splunk app, and the extraction it contains applies only to [source::eStreamer]. I also checked the parsers in SC4S but couldn’t locate any that set the source to eStreamer or anything similar. Also, I checked props.conf for the Splunk Security Cloud app, I noted that it does not use any of the sourcetype extractions specified in SC4S documentation, aside from cisco:asa. So my recommendation is to remove this ref altogether. I ll raise a PR for the same and will close this issue soon. |
|
PR has been merged, hence closing this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
the archived app https://splunkbase.splunk.com/app/1629/ only contains props for a source of [source::eStreamer] so this will not do anything for data ingested. It is also archived.
Should this be updated to https://splunkbase.splunk.com/app/7404 as even the non archived estreamer app states:
"*Updates July 15th, 2024
The current Cisco Secure Firewall app is going EOL, limited support will be provided for the current implementation, please use the latest app, the Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404
The Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404 -- provides eStreamer SDK integration which will provide fully qualified event support for IDS, Malware, Connection and IDS Packet data."
both of these apps do have props for sourcetype [cisco:firepower:syslog] so that will do something with the parsed ingest from sc4s (not tested)
Can you review and if needed correct documentation so we know what to use without an investigation.
The text was updated successfully, but these errors were encountered: