All Apps and Add-ons

Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay


Dear community

I am trying to onboard the logs from my Cisco FMC (v6.4.0.7) to Splunk (7.3.3), using the app Cisco Firepower eStreamer eNcore (3.6.8)

the connectivity is OK, I am able to collect some logs during a few minutes.
and then the estreamer process stopped/failed.
after 15/30 minutes the process is able again to collect some data events from the IDS ... and then fails again

I don't really know where/what troubleshoot.
maybe the default setting "maxQueueSize": 100.
this one can be increased as we have a lot of events.

thank you so much

Message output for index=estreamer sourcetype="cisco:estreamer:log" :

Starting process.
Starting process.
Starting process.
Starting Monitor.
Using TLS v1.2
Connecting to x.x.x.x:8302
Connection successful
Streaming info response
Response message=xxxxx
Receiving response message
Sending request message
Request message=0001000200000008ffffffff48900061
Creating request message
Using TLS v1.2
Connecting to xxxxx:8302
Creating connection
Check certificate
Settings: xxxxxxxx=
Processes: 4
Sha256: 3xxxxx
Platform version: Linux-3.10.0-1062.el7.x86_64-x86_64-with-redhat-7.7-Maipo
2020-03-10 11:14:28,556 Controller INFO Starting client (pid=25963).
eNcore version: 3.6.8
Stopping Monitor.
Process 20330 (Process-4) exit code: 0
Error state. Clearing queue
Stop message received
Process 20329 (Process-3) exit code: 0
Error state. Clearing queue
Stop message received
Process 20328 (Process-2) exit code: 0
Error state. Clearing queue
Stop message received
Process 20327 (Process-1) exit code: 1
Running. 0 handled; average rate 0 ev/sec;
Process subscriberParser is dead.
Starting. 0 handled; average rate 0 ev/sec;
Starting process.
Starting process.
Starting process.
Starting Monitor.

0 Karma


try to search for some errors on splunkd.log for "eStreamer"
Check this procedure for the add-on configuration.

0 Karma


Yes I have this configuration, thank you

the apps works fine, collecting events on the FMC ... except every 15-20 minutes when the estream app is going down. then it takes a few minutes to restart and collect events again

0 Karma


can you please check which python version you are running? I am asking because I had an issue on customer where they were running Centos 8 and the python version that was running was python 3.6... I also saw the same exit code at logs.
run the script ./ test at TA-eStreamer/bin...if you are getting this message:

./ test
Traceback (most recent call last):
File "./estreamer/", line 33, in
import estreamer.crossprocesslogging
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/", line 27, in
from estreamer.connection import Connection
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/", line 22, in
import ssl
File "/opt/splunk/lib/python2.7/", line 98, in
import _ssl # if we can't import it, let the error propagate
ImportError: cannot open shared object file: No such file or directory

then, do this to fix it:
Install Python 2.7

Edit the python script “” at /opt/splunk/etc/apps/TA-eStreamer/bin and remove # from this line #SPLUNK_HOME=/opt/splunk



set -x

Uncomment #SPLUNK_HOME=/opt/splunk



save it, restart splunk service.

The python error was fixed, and after a couple of minutes the data is being receiving properly.

Also try to play around the Data configuration at addon, on the customer, I select the option " Connections? This is a very high-volume option and may consume significant network and storage usage"

These were the steps I took to fix the issue on customer. I hope this can help you.

0 Karma
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...