Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco FireSIGHT and FirePower Threat Defence

This section describes how FortiSIEM collects logs from Cisco FireSIGHT console and FirePower Threat Defence via the eStreamer API integration. FortiSIEM provides two integrations options, either through the FortiSIEM built-in eStreamer integration or via the Cisco FirePower eStreamer eNcore client.

The Cisco eNcore client Collects System intrusion, discovery, and connection data from Firepower Management Center or managed device (also referred to as the eStreamer server) to external client applications, in this case via Syslog to FortiSIEM.

What is Discovered and Monitored

Protocol Information Discovered Logs Collected Used For
eStreamer API   Intrusion Events, Malware Events. File Events. Discovery Events, User Activity Events, Impact Flag Events Security Monitoring

Rules

There are no predefined rules for this device. 

Reports

The following reports are provided:

  • Top Cisco FireAMP Malware Events
  • Top Cisco FireAMP File Analysis Events
  • Top Cisco FireAMP Vulnerable Intrusion Events
  • Top Cisco FireAMP Discovered Login Events
  • Top Cisco FireAMP Discovered Network Protocol
  • Top Cisco FireAMP Discovered Client App
  • Top Cisco FireAMP Discovered OS

Using FortiSIEM Client

FortiSIEM obtains events from Cisco FireSIGHT via eStreamer protocol.

Event Types
  • Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

    [PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eventType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGeneratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAddr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destIpPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImpact]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[webAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPolicyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[destIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e34052a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260-63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=
  • Malware events:  PH_DEV_MON_FIREAMP_MALWARE

    [PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIpAddr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[fileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[hashAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc823209c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentFileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDisposition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applicationId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecIntelId]=0,[phLogDetail]=
  • File events: PH_DEV_MON_FIREAMP_FILE

    [PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAddr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[fileName]=Locksky.exe ,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fireAmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageStatus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFileAction]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[infoURL]=http://wrl/wrl/Locksky.exe ,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCounter]=103,[connEventTime]=1430497343,[phLogDetail]=
  • Discovery events:
    • PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

      PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDevIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetail]=
    • PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

      [PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=737,[reptDevIpAddr]=10.1.23.177,[fingerprintId]=01f772b2-fceb-4777-8a50-1e1f27426ad0,[osType]=Windows 7,[hostVendor]=Microsoft,[osVersion]=NULL,[phLogDetail]=
    • PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP

      [PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=775,[reptDevIpAddr]=10.1.23.177,[clientAppId]=638,[appName]=Firefox,[phLogDetail]=
    • PH_DEV_MON_FIREAMP_DISCOVERY_SERVER

      [PH_DEV_MON_FIREAMP_DISCOVERY_SERVER]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=853,[reptDevIpAddr]=10.1.23.177,[applicationId]=676,[appTransportProto]=HTTP,[phLogDetail]=
  • User activity events: PH_DEV_MON_FIREAMP_USER_LOGIN

    [PH_DEV_MON_FIREAMP_USER_LOGIN]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=672,[reptDevIpAddr]=10.1.23.177,[deviceTime]=1430490441,[user]=ABerglund ,[userId]=0,[ipProto]=710,[emailId]=,[loginType]=0,[destIpAddr]=198.18.133.1 ,[phLogDetail]=
  • Impact Flag events: PH_DEV_MON_FIREAMP_IMPACT_FLAG

    [PH_DEV_MON_FIREAMP_IMPACT_FLAG]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=591,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=34,[deviceTime]=1430491431,[eventType]=Snort-648,[compEventType]=PH_DEV_MON_FIREAMP_IMPACT_FLAG,[ipsGeneratorId]=1,[ipsSignatureId]=14,[ipsClassificationId]=29,[srcIpAddr]=10.131.12.240,[destIpAddr]=10.131.11.46,[srcIpPort]=80,[destIpPort]=8964,[ipProto]=6,[fireAmpImpactFlag]=7,[phLogDetail]=

Configuration

Cisco FireSIGHT Configuration
  1. Login to Cisco FIRESIGHT console.
  2. Go to System > Local > RegistrationeStreamer
  3. Click Create Client
    1. Enter IP address and Password for FortiSIEM.
    2. Click Save.
  4. Select the types of events that should be forwarded to FortiSIEM.
  5. Click Download Certificate and save the certificate to a local file.
FortiSIEM Configuration
  1. Go to ADMIN > Setup > Credentials.
  2. Create a credential:
    1. Set Device Type to Cisco FireAMP.
    2. Set Access Method to eStreamer.
    3.  Enter the Password as in Step 3a above.
    4. Click Certificate File > Upload and enter the certificate downloaded in Step 5.
    5. Click Save.
  3. Create an IP range to Credential Association:
    1. Enter IP address of the FireSIGHT Console
    2. Enter the credential created in Step 2 above
  4. Click Test Connectivity - FortiSIEM will start collecting events from the FIRESIGHT console.

Using Cisco eStreamer Client

Cisco has published a free eStreamer client to pull events from FireAMP server. This client is more up-to-date than FortiSIEM’s own eStreamer client.

If you decide to use Cisco’s eStreamer client instead of FortiSIEM’s eStreamer client, follow these steps.

Step 1: Install a new version of python with a new user 'estreamer'

This is required because the python version used by FortiSIEM is compiled with PyUnicodeUCS2, while eStreamer client requires the standard version of python built with PyUnicodeUCS4.

  1. Log in to FortiSIEM Collector or the node where eStreamer client is going to be installed.
  2. Create eStreamer user using the command:
    1. useradd estreamer
  3. Download the python library using the commands:
    1. su estreamer
    2. mkdir ~/python
    3. cd ~/python
    4. wget https://www.python.org/ftp/python/2.7.11/Python-2.7.11.tgz
  4. Install python library :
    1. tar zxfv Python-2.7.11.tgz
    2. find ~/python -type d | xargs chmod 0755
    3. cd Python-2.7.11
    4. ./configure --prefix=$HOME/python --enable-unicode=ucs4
    5. make && make install
    6. Add below two lines to ~/.bashrcp:
      export PATH=$HOME/python/Python-2.7.11/:$PATH
      export PYTHONPATH=$HOME/python/Python-2.7.11
    7. source ~/.bashrc
Step 2: Download and configure eStreamer client
  1. SSH to FortiSIEM Collector or the node where eStreamer client is going to be installed as estreamer user.
  2. Git clone: git://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight.git
  3. Change directory using the command:
    cd fp-05-firepower-cef-connector-arcsight
  4. Login to eStreamer server and:
    1. Go to System > Integration > eStreamer.
    2. Create a New client and enter the IP address of the Supervisor/Collector as the host.
    3. Download the pkcs12 file and save it to directory:
      fp-05-firepower-cef-connector-arcsight
  5. Go back to fp-05-firepower-cef-connector-arcsight directory.
  6. Run sh encore.sh, and type 2 for selection of output in CEF as prompted. An estreamer.conf file is generated.
  7. Edit estreamer.conf with below settings (in JSON format):
    • handler.outputters.stream.uri : "udp://VA_IP:514"
    • servers.host : eStreamer_Server_IP
    • servers.pkcs12Filepath : /path/to/pkcs12
  8. Run the below two commands:
    • openssl pkcs12 -in "client.pkcs12" -nocerts -nodes -out "/path/to/fp-05-firepower-cef-connector-arcsight/client_pkcs.key"
    • openssl pkcs12 -in "client.pkcs12" -clcerts -nokeys -out "/path/to/fp-05-firepower-cef-connector-arcsight/client_pkcs.cert"
Step 3: Start eStreamer client

SSH to FortiSIEM Collector or the node where eStreamer client is installed, as estreamer user. Start eStreamer client by entering:
encore.sh start

Now eStreamer client is ready for use. FortiSIEM 5.2.5 contains an updated parser for the events generated by Cisco eStreamer client. Trigger few events in eStreamer server and query from FortiSIEM to verify if everything is working.

Cisco FireSIGHT and FirePower Threat Defence

This section describes how FortiSIEM collects logs from Cisco FireSIGHT console and FirePower Threat Defence via the eStreamer API integration. FortiSIEM provides two integrations options, either through the FortiSIEM built-in eStreamer integration or via the Cisco FirePower eStreamer eNcore client.

The Cisco eNcore client Collects System intrusion, discovery, and connection data from Firepower Management Center or managed device (also referred to as the eStreamer server) to external client applications, in this case via Syslog to FortiSIEM.

What is Discovered and Monitored

Protocol Information Discovered Logs Collected Used For
eStreamer API   Intrusion Events, Malware Events. File Events. Discovery Events, User Activity Events, Impact Flag Events Security Monitoring

Rules

There are no predefined rules for this device. 

Reports

The following reports are provided:

  • Top Cisco FireAMP Malware Events
  • Top Cisco FireAMP File Analysis Events
  • Top Cisco FireAMP Vulnerable Intrusion Events
  • Top Cisco FireAMP Discovered Login Events
  • Top Cisco FireAMP Discovered Network Protocol
  • Top Cisco FireAMP Discovered Client App
  • Top Cisco FireAMP Discovered OS

Using FortiSIEM Client

FortiSIEM obtains events from Cisco FireSIGHT via eStreamer protocol.

Event Types
  • Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

    [PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eventType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGeneratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAddr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destIpPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImpact]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[webAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPolicyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[destIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e34052a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260-63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=
  • Malware events:  PH_DEV_MON_FIREAMP_MALWARE

    [PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIpAddr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[fileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[hashAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc823209c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentFileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDisposition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applicationId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecIntelId]=0,[phLogDetail]=
  • File events: PH_DEV_MON_FIREAMP_FILE

    [PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAddr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[fileName]=Locksky.exe ,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fireAmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageStatus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFileAction]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[infoURL]=http://wrl/wrl/Locksky.exe ,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCounter]=103,[connEventTime]=1430497343,[phLogDetail]=
  • Discovery events:
    • PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

      PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDevIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetail]=
    • PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

      [PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=737,[reptDevIpAddr]=10.1.23.177,[fingerprintId]=01f772b2-fceb-4777-8a50-1e1f27426ad0,[osType]=Windows 7,[hostVendor]=Microsoft,[osVersion]=NULL,[phLogDetail]=
    • PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP

      [PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=775,[reptDevIpAddr]=10.1.23.177,[clientAppId]=638,[appName]=Firefox,[phLogDetail]=
    • PH_DEV_MON_FIREAMP_DISCOVERY_SERVER

      [PH_DEV_MON_FIREAMP_DISCOVERY_SERVER]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=853,[reptDevIpAddr]=10.1.23.177,[applicationId]=676,[appTransportProto]=HTTP,[phLogDetail]=
  • User activity events: PH_DEV_MON_FIREAMP_USER_LOGIN

    [PH_DEV_MON_FIREAMP_USER_LOGIN]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=672,[reptDevIpAddr]=10.1.23.177,[deviceTime]=1430490441,[user]=ABerglund ,[userId]=0,[ipProto]=710,[emailId]=,[loginType]=0,[destIpAddr]=198.18.133.1 ,[phLogDetail]=
  • Impact Flag events: PH_DEV_MON_FIREAMP_IMPACT_FLAG

    [PH_DEV_MON_FIREAMP_IMPACT_FLAG]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=591,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=34,[deviceTime]=1430491431,[eventType]=Snort-648,[compEventType]=PH_DEV_MON_FIREAMP_IMPACT_FLAG,[ipsGeneratorId]=1,[ipsSignatureId]=14,[ipsClassificationId]=29,[srcIpAddr]=10.131.12.240,[destIpAddr]=10.131.11.46,[srcIpPort]=80,[destIpPort]=8964,[ipProto]=6,[fireAmpImpactFlag]=7,[phLogDetail]=

Configuration

Cisco FireSIGHT Configuration
  1. Login to Cisco FIRESIGHT console.
  2. Go to System > Local > RegistrationeStreamer
  3. Click Create Client
    1. Enter IP address and Password for FortiSIEM.
    2. Click Save.
  4. Select the types of events that should be forwarded to FortiSIEM.
  5. Click Download Certificate and save the certificate to a local file.
FortiSIEM Configuration
  1. Go to ADMIN > Setup > Credentials.
  2. Create a credential:
    1. Set Device Type to Cisco FireAMP.
    2. Set Access Method to eStreamer.
    3.  Enter the Password as in Step 3a above.
    4. Click Certificate File > Upload and enter the certificate downloaded in Step 5.
    5. Click Save.
  3. Create an IP range to Credential Association:
    1. Enter IP address of the FireSIGHT Console
    2. Enter the credential created in Step 2 above
  4. Click Test Connectivity - FortiSIEM will start collecting events from the FIRESIGHT console.

Using Cisco eStreamer Client

Cisco has published a free eStreamer client to pull events from FireAMP server. This client is more up-to-date than FortiSIEM’s own eStreamer client.

If you decide to use Cisco’s eStreamer client instead of FortiSIEM’s eStreamer client, follow these steps.

Step 1: Install a new version of python with a new user 'estreamer'

This is required because the python version used by FortiSIEM is compiled with PyUnicodeUCS2, while eStreamer client requires the standard version of python built with PyUnicodeUCS4.

  1. Log in to FortiSIEM Collector or the node where eStreamer client is going to be installed.
  2. Create eStreamer user using the command:
    1. useradd estreamer
  3. Download the python library using the commands:
    1. su estreamer
    2. mkdir ~/python
    3. cd ~/python
    4. wget https://www.python.org/ftp/python/2.7.11/Python-2.7.11.tgz
  4. Install python library :
    1. tar zxfv Python-2.7.11.tgz
    2. find ~/python -type d | xargs chmod 0755
    3. cd Python-2.7.11
    4. ./configure --prefix=$HOME/python --enable-unicode=ucs4
    5. make && make install
    6. Add below two lines to ~/.bashrcp:
      export PATH=$HOME/python/Python-2.7.11/:$PATH
      export PYTHONPATH=$HOME/python/Python-2.7.11
    7. source ~/.bashrc
Step 2: Download and configure eStreamer client
  1. SSH to FortiSIEM Collector or the node where eStreamer client is going to be installed as estreamer user.
  2. Git clone: git://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight.git
  3. Change directory using the command:
    cd fp-05-firepower-cef-connector-arcsight
  4. Login to eStreamer server and:
    1. Go to System > Integration > eStreamer.
    2. Create a New client and enter the IP address of the Supervisor/Collector as the host.
    3. Download the pkcs12 file and save it to directory:
      fp-05-firepower-cef-connector-arcsight
  5. Go back to fp-05-firepower-cef-connector-arcsight directory.
  6. Run sh encore.sh, and type 2 for selection of output in CEF as prompted. An estreamer.conf file is generated.
  7. Edit estreamer.conf with below settings (in JSON format):
    • handler.outputters.stream.uri : "udp://VA_IP:514"
    • servers.host : eStreamer_Server_IP
    • servers.pkcs12Filepath : /path/to/pkcs12
  8. Run the below two commands:
    • openssl pkcs12 -in "client.pkcs12" -nocerts -nodes -out "/path/to/fp-05-firepower-cef-connector-arcsight/client_pkcs.key"
    • openssl pkcs12 -in "client.pkcs12" -clcerts -nokeys -out "/path/to/fp-05-firepower-cef-connector-arcsight/client_pkcs.cert"
Step 3: Start eStreamer client

SSH to FortiSIEM Collector or the node where eStreamer client is installed, as estreamer user. Start eStreamer client by entering:
encore.sh start

Now eStreamer client is ready for use. FortiSIEM 5.2.5 contains an updated parser for the events generated by Cisco eStreamer client. Trigger few events in eStreamer server and query from FortiSIEM to verify if everything is working.