All Apps and Add-ons

cisco estreamer data logs

edgarsilva01
Explorer


Hello everyone

I have a problem with cisco estreamer logs: data

Apparently there is an intermittence with the sending of logs, a couple of weeks ago the cisco certificate was configured and the logs began to arrive, after a while they stopped.

When we went to review, apply a restart to the indexer and the logs began to arrive.
we have had this problem for 3 weeks, sometimes when restarting the indexer no logs are received.

Anyone ever happened something similar?
or what may be happening.

thanks

Labels (2)
0 Karma

AhmadKhattak20
Loves-to-Learn

@edgarsilva01 were you able to resolve this issue? Can you share the solution if so? Thanks

0 Karma

edgarsilva01
Explorer

Hello, Ahmadkhattak20,

We have not solved it, we open a case in splunk and they do not support that app either.

The answer was the following


"Hope you are doing really well! My name is Russel Andrey.

After reviewing the information, I see that the support for this add-on is "Not Supported". Here you have more insights about App support types:

https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Splunkbase/Appsupporttypes

As best effort from my side, here you have some information that can be helpful for you:

- This is the official documentation from the app: https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSpl...

In case the documentation or steps shared above are not working, I strongly suggest you creating your own question in our communities channel for further assistance. At this point, I will proceed archiving this support ticket."

Thanks for your comprehension.

 

edgarsilva01_0-1614351839281.png

 

0 Karma

scelikok
Motivator

Hi @edgarsilva01,

I experienced this problem too but there is no solution because the problem is not on Splunk side. FMC stops sending data or sends extremely slow to the socket at that times. If restart on Splunk does not help, restarting e-streamer service on FMC should work.

You can create a bash script to check data delay and send restart to estreamer app on Splunk.

Another better workaround is if you are using V6.4 on Firepower, using syslog.

 

If this reply helps you a upvote is appreciated.

If this reply helps you an upvote is appreciated.