FirePower eNcore event count drops after normal Fi...

_joe · ‎11-20-2020

Hello all,

I was wondering if anyone else has seen their event count drop (down to 10%?) after the FirePower team updates signatures on the Defense Center?

In the last couple months I saw this happen twice, once I was running 'Firepower eNcore Add-On for Splunk' v4.0.7 then once when I was running 3.6.8 (I downgraded). The FirePower team says there was nothing abnormal about their update.

I am running ~ Splunk Enterprise 8.4

Upgrading to eNcore 4.0.9 is not an option (forwarder crashed on that version weeks on that ago, we opened a cisco TAC case and they still haven't been able to tell us what happened).

Cisco Secure eStreamer Client (f.k.a Firepower eNcore) Add-On for Splunk
https://splunkbase.splunk.com/app/3662/

_joe · ‎11-27-2020

Thanks vikramyadav. The only problem is I also ran into this issue on 4.0.7 and enterprise v8. I could downgrade but I hope to move back to 4.x soon after cisco resolves some of the 4.0.9 bugs (they told me they have to resolve CSCvw51040 and I might also be hitting another bug).

vikramyadav · ‎11-21-2020

Hi @_joe ,

I believe Cisco Secure eStreamer Client (f.k.a. eNcore) Technical Add-on for Splunk v3.6.8 is not supported on Splunk Enterprise 8.4. And might be due to this you are facing event drop issue.

I would recommend you to use the latest or appropriate version of the Add-on depending upon your Splunk Enterprise Version.

--------------------------------------------------------

If this helps your like will be appreciated😊

FirePower eNcore event count drops after normal FirePower Defense Center updates

administration

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?