All Apps and Add-ons

FirePower eNcore event count drops after normal FirePower Defense Center updates

_joe
Path Finder

Hello all,

I was wondering if anyone else has seen their event count drop (down to 10%?) after the FirePower team updates signatures on the Defense Center? 

In the last couple months I saw this happen twice, once I was running 'Firepower eNcore Add-On for Splunk' v4.0.7 then once when I was running 3.6.8 (I downgraded). The FirePower team says there was nothing abnormal about their update. 

I am running ~ Splunk Enterprise 8.4 

Upgrading to eNcore 4.0.9 is not an option (forwarder crashed on that version weeks on that ago, we opened a cisco TAC case and they still haven't been able to tell us what happened).

Cisco Secure eStreamer Client (f.k.a Firepower eNcore) Add-On for Splunk
https://splunkbase.splunk.com/app/3662/

 

Labels (2)
0 Karma

_joe
Path Finder

Thanks vikramyadav. The only problem is I also ran into this issue on 4.0.7 and enterprise v8. I could downgrade but I hope to move back to 4.x soon after cisco resolves some of the 4.0.9 bugs (they told me they have to resolve CSCvw51040 and I might also be hitting another bug). 

0 Karma

vikramyadav
Contributor

Hi @_joe ,

I believe Cisco Secure eStreamer Client (f.k.a. eNcore) Technical Add-on for Splunk  v3.6.8 is not supported on Splunk Enterprise 8.4. And might be due to this you are facing event drop issue.

vikramyadav_0-1605987111031.png

I would recommend you to use the latest or appropriate version of the Add-on depending upon your Splunk Enterprise Version.

--------------------------------------------------------

If this helps your like will be appreciated😊



0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!