Skip to main content

Site CollectorSite Collector Administration Guide

Set Up EStreamer Collector

Set up the EStreamer Collector to collect event data from your eStreamer server and push the logs to Exabeam Security Operations Platform.

Before setting up the collector, ensure that you have Site Collectors' version 2.0 and above.

To set up the EStreamer Collector:

  1. Ensure that you create a client on your eStreamer server to add authentication.

  2. Log in to the Exabeam Security Operations Platform with your registered credentials.

  3. Navigate to Collectors > Site Collectors.

  4. Ensure that Site Collector is installed and in running state.

    Note

    To ensure successful EStreamer collector configuration, ensure that you do not set up your Site Collector instance on a proxy server.

  5. On the Site Collector page, click the Collectors Library tab, then click EStreamer.

    Estreamer_home_page.png
  6. In the Definition section, enter the required information as follows.

    Estreamer_1.png
    • Collector Name – Specify a name for the EStreamer collector instance.

    • Site Collector Instance – Select the site collector instance for which you want to set up the EStreamer Collector.

    • EStreamer Hostname or IP – Enter the IP address of the EStreamer server from which you want the EStreamer collector to pull logs.

    • Port – Enter the port number of your EStreamer server. The default port is 8302.

  7. Click Next.

  8. In the Authentication section, enter the following information and click Next.

    Estreamer_2.png
    • TLS Protocol – Select the TLS protocol TLSv1.2 or TLSv1.3.

    • Certificate – Click Select File to upload a valid security certificate that you downloaded from your eStreamer server in*.pkcs12 format for the GCP VM on which your Site Collector application is installed.

  9. Enter the password for the certificate and click Next.

    Estreamer_3.png
  10. In the Data section, enter the following information.

    Estreamer_4.png
    • EStreamer Fetch Timestamp – Select the date and time from when you want the collector to fetch logs. By default current date and time is selected. If you want to select a threshold to include events to be ingested from the past, select a date previous to the present date. You can select a date which is backdated to 30 days.

    • Exclude Records – Select the record type IDs that you want to exclude. For more information about record types, see Intrusion Event and General Metadata Record Types in the Cisco documentation.

  11. Click Setup.

    The Estreamer collector is set up and is ready to pull logs from your eStreamer server.

    Verify that the Collector installed. The Collector instance is listed in the Overview section on the user interface.

    In case of installation failure, the collector is disabled, and the configuration is saved. You can check the status of the collector on the user interface or using the support package.

Create a Client on your eStreamer Server

For the eStreamer server to send events, add a client to the eStreamer server’s database. Download the certificate generated by the eStreamer server for this client, and upload this certificate while creating the collector instance to enable communication between the collector and eStreamer.

To create a client to add authentication:

  1. Navigate to EStreamer Firewall Management Server (FMC)Server > Integration > eStreamer.

    eStreamer_server_1.png
  2. Click Create Client.

    eStreamer_server_2.png
  3. On the Create Client page, in the Hostname field, enter the external IP address of the host that runs your Site Collector instance. For additional security for the certificate file, enter the password.

  4. Click Save.

  5. To download the certificate from the FMC Server, click the download icon.

    For more information, see Adding Authentication for eStreamer Clients in the Cisco documentation.

    Use the downloaded certificate while configuring the EStreamer Collector.