All Apps and Add-ons

Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay


Dear community

I am trying to onboard the logs from my Cisco FMC (v6.4.0.7) to Splunk (7.3.3), using the app Cisco Firepower eStreamer eNcore (3.6.8)

the connectivity is OK, I am able to collect some logs during a few minutes.
and then the estreamer process stopped/failed.
after 15/30 minutes the process is able again to collect some data events from the IDS ... and then fails again

I don't really know where/what troubleshoot.
maybe the default setting "maxQueueSize": 100.
this one can be increased as we have a lot of events.

thank you so much

Message output for index=estreamer sourcetype="cisco:estreamer:log" :

Starting process.
Starting process.
Starting process.
Starting Monitor.
Using TLS v1.2
Connecting to x.x.x.x:8302
Connection successful
Streaming info response
Response message=xxxxx
Receiving response message
Sending request message
Request message=0001000200000008ffffffff48900061
Creating request message
Using TLS v1.2
Connecting to xxxxx:8302
Creating connection
Check certificate
Settings: xxxxxxxx=
Processes: 4
Sha256: 3xxxxx
Platform version: Linux-3.10.0-1062.el7.x86_64-x86_64-with-redhat-7.7-Maipo
2020-03-10 11:14:28,556 Controller INFO Starting client (pid=25963).
eNcore version: 3.6.8
Stopping Monitor.
Process 20330 (Process-4) exit code: 0
Error state. Clearing queue
Stop message received
Process 20329 (Process-3) exit code: 0
Error state. Clearing queue
Stop message received
Process 20328 (Process-2) exit code: 0
Error state. Clearing queue
Stop message received
Process 20327 (Process-1) exit code: 1
Running. 0 handled; average rate 0 ev/sec;
Process subscriberParser is dead.
Starting. 0 handled; average rate 0 ev/sec;
Starting process.
Starting process.
Starting process.
Starting Monitor.

0 Karma


try to search for some errors on splunkd.log for "eStreamer"
Check this procedure for the add-on configuration.

0 Karma


Yes I have this configuration, thank you

the apps works fine, collecting events on the FMC ... except every 15-20 minutes when the estream app is going down. then it takes a few minutes to restart and collect events again

0 Karma


can you please check which python version you are running? I am asking because I had an issue on customer where they were running Centos 8 and the python version that was running was python 3.6... I also saw the same exit code at logs.
run the script ./ test at TA-eStreamer/bin...if you are getting this message:

./ test
Traceback (most recent call last):
File "./estreamer/", line 33, in
import estreamer.crossprocesslogging
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/", line 27, in
from estreamer.connection import Connection
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/", line 22, in
import ssl
File "/opt/splunk/lib/python2.7/", line 98, in
import _ssl # if we can't import it, let the error propagate
ImportError: cannot open shared object file: No such file or directory

then, do this to fix it:
Install Python 2.7

Edit the python script “” at /opt/splunk/etc/apps/TA-eStreamer/bin and remove # from this line #SPLUNK_HOME=/opt/splunk



set -x

Uncomment #SPLUNK_HOME=/opt/splunk



save it, restart splunk service.

The python error was fixed, and after a couple of minutes the data is being receiving properly.

Also try to play around the Data configuration at addon, on the customer, I select the option " Connections? This is a very high-volume option and may consume significant network and storage usage"

These were the steps I took to fix the issue on customer. I hope this can help you.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...