Cisco eStreamer collector
The Cisco Event Streamer (also known as Cisco eStreamer) allows you to stream Firepower System events to external client applications. You can stream host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection data from a Management Center and you can stream intrusion data from 7000 and 8000 series devices.
Data source description
Currently, the Cisco eStreamer collector generates host, discovery, correlation, compliance allow list, intrusion, user activity, file, malware, and connection events. The collector processes the eStreamer responses and sends them to the Devo platform, which will categorize all the information received on the following tables:
Context information for codes and numeric identifiers in the event records
Packets associated with intrusion events
Intrusion events generated by managed devices
Correlation and allow list events
Realtime Network Awareness events
Realtime User Awareness events
Additional data for intrusion events
For more info about the Cisco eStreamer, visit the Firepower System Event Streamer Integration Guide.
The Cisco eStreamer data collector works over the Cisco FMC (Firepower Management Center) devices. To start receiving data from the eStreamer protocol, you need to set up the eStreamer service in the FMC.
Setting up eStreamer
- Access the FMC web console.
- Go to System → Integration → eStreamer
- Check the events that you want to receive and save the changes.
- Create a new client and save the certificate (and password/passphrase if configured) to be used later in the collector.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
The following directory structure should be created for being used when running the Cisco eStreamer collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config-cisco.yaml file
In the config-cisco.yaml file, replace the
Download the Docker image
The collector should be deployed as a Docker container. Click here to download the Docker image of the collector as a .tgz file.
Use the following command to add the Docker image to the system:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace
The Docker image can be deployed on the following services:
Execute the following command on the root directory
The following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the