My organization is a Splunk Cloud subscriber, and I am working on installing the Cisco Secure eStreamer Client Add-On. Currently, on-prem, we have one Heavy Forwarder (enterprise server) and two UF forwarding events to our cloud indexer.
I am wondering what is the best practice for installing the eStreamer Client Add-On. Does the eStreamer Client Add-On have to be installed on the HF or can it go on the UF?
I previously installed it on the HF, but it caused errors with I/O latency (there are many millions of events coming from the Cisco FMC). I'm wondering if there is any way to distribute the load - I know the UF is better for handling many events.
Any help would be greatly appreciated.
The add-on requires Python so it must be installed on a HF. This is per the docs at https://www.cisco.com/c/en/us/td/docs/security/firepower/70/api/eNcore/eNcore_Operations_Guide_v08.h...
Consider standing up a separate HF for eStreamer inputs.
The add-on requires Python so it must be installed on a HF. This is per the docs at https://www.cisco.com/c/en/us/td/docs/security/firepower/70/api/eNcore/eNcore_Operations_Guide_v08.h...
Consider standing up a separate HF for eStreamer inputs.
Thank you.