All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

cisco estreamer data logs

edgarsilva01
Path Finder
‎01-18-2021 12:18 PM


Hello everyone

I have a problem with cisco estreamer logs: data

Apparently there is an intermittence with the sending of logs, a couple of weeks ago the cisco certificate was configured and the logs began to arrive, after a while they stopped.

When we went to review, apply a restart to the indexer and the logs began to arrive.
we have had this problem for 3 weeks, sometimes when restarting the indexer no logs are received.

Anyone ever happened something similar?
or what may be happening.

thanks

Labels (2)
0 Karma
Reply

AhmadKhattak20
Explorer
‎02-26-2021 01:12 AM

@edgarsilva01 were you able to resolve this issue? Can you share the solution if so? Thanks

0 Karma
Reply

edgarsilva01
Path Finder
‎02-26-2021 07:07 AM

Hello, Ahmadkhattak20,

We have not solved it, we open a case in splunk and they do not support that app either.

The answer was the following


"Hope you are doing really well! My name is Russel Andrey.

After reviewing the information, I see that the support for this add-on is "Not Supported". Here you have more insights about App support types:

https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Splunkbase/Appsupporttypes

As best effort from my side, here you have some information that can be helpful for you:

- This is the official documentation from the app: https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSpl...

In case the documentation or steps shared above are not working, I strongly suggest you creating your own question in our communities channel for further assistance. At this point, I will proceed archiving this support ticket."

Thanks for your comprehension.

 

edgarsilva01_0-1614351839281.png

 

Reply

scelikok
SplunkTrust
SplunkTrust
‎01-18-2021 12:30 PM

Hi @edgarsilva01,

I experienced this problem too but there is no solution because the problem is not on Splunk side. FMC stops sending data or sends extremely slow to the socket at that times. If restart on Splunk does not help, restarting e-streamer service on FMC should work.

You can create a bash script to check data delay and send restart to estreamer app on Splunk.

Another better workaround is if you are using V6.4 on Firepower, using syslog.

 

If this reply helps you a upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...