Data LakeExabeam Data Lake Collector Guide

Table of Contents

Cisco eStreamer Log Collector in Exabeam Data Lake

Data Lake provides the ability for organizations to collect data from their Cisco FireSight systems. Unlike FileBeats and WIndowsBeats collectors, the eStreamer collector is a service that runs on the Data Lake host and connects to the remote servers communicating over the Cisco eStreamer protocol.

In a multi-node cluster, note that the eStreamer collector runs on the Data Lake master node exclusively.

Prerequisites for Setting Up Cisco eStreamer Collector

  • Port 8302 is opened for inbound and outbound traffic on the customer's firewall. This is the default port on which the eStreamer server runs.

  • client.pkcs12 file (this file is generated in the section Configure eStreamer Client)

  • Public IP address of the Data Lake master node

  • Network route between Data Lake master node and eStreamer client (such that endpoints respond to pings and allow bi-directional traffic).

Configure eStreamer Client for Data Lake

This first section generates the public-private key pair needed to run eNcore. This key pair is delivered in a pkcs12 file.

  1. Log into eStreamer Server.

    estreamer1.png
  2. Navigate to the eStreamer integration page under System > Integration > eStreamer

  3. Select Create Client at the top right.

    estreamer2.png
  4. You will be asked for a Hostname (required) and password (optional).

    If the box that the eStreamer client will be run on is on AWS, then the public IP of the Master node should be input for the Hostname. To obtain a public IP, run the command curl -s ipinfo.io/ip on the master node.

    If you choose to enter a password, then you will be required to enter the same password later in the setup process while configuring the eNcore for parsing the certificate on the client side. Please note that this password is not the login credential password.

    estreamer3.png
  5. Download the client certificate by clicking the download icon to the right of the Hostname.

    On the left side of this same page select all of the event types that will be collected by the eStreamer clients and click Save.

    estreamer4.png

Run eStreamer Client for Exabeam Data Lake Log Collecting

Start eStreamer Collector

Copy the certificate file that was downloaded in the section Configure eStreamer Client. In the below example, replace path with the path to where the certificate was saved.

scp /path/client.pkcs12 user@host:/opt/exabeam/data/lms/estreamer/client.pkcs12

Configure the collector and enable the estreamer.conf file. You will be asked to enter the eStreamer service host (the public IP Address of the host box) as well as the password (the same password you created in Step 4: of Configure eStreamer Client).

cd /opt/exabeam/bin/lms/
./opt/exabeam/bin/shell-environment.bash
./lms-estreamer-install

Start the eStreamer collector

cd /opt/exabeam/bin/lms
./lms-estreamer-start

Note

By default eStreamer will begin collecting logs from 30 days before installation. See Configure Start Time for more information on this parameter.

Stop eStreamer Collector

This stops eStreamer but does not uninstall the client.

./lms-estreamer-stop

Verify eStreamer Client Status for Exabeam Data Lake Log Collecting

Verify Health of eStreamer Collector

There is a health check for eStreamer Collector through the Health Status page in the UI. However, if the collector is NOT enabled, the Health Status page will show the client as 'Healthy'.

You can also check estreamer.log and the logs will give more detailed information about the status of the client. For example, if there are fetching errors, etc.

Verify Status of eStreamer Collector

To check the status of the service from the CLI:

./lms-estreamer-status

Uninstall Exabeam Data Lake eStreamer Log Collector

This script stops the service, disables, and removes it. You will lose all of the current states. However, this does NOT remove the certificate; if mistakes are made during install you can run this script multiple times and restart.

./lms-estreamer-uninstall

Additionally, remove the hostname and password from the eStreamer Server console.

  1. Log into eStreamer Server.

    estreamer1.png
  2. Navigate to the eStreamer integration page under System > Integration > eStreamer.

  3. Select the applicable eStreamer client.

    estreamer2.png
  4. Remove the Hostname and password record.