We have a developer looking at outstanding issues currently. CLI version 3.5.4 is here BTW: https://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight ... View more

I would open a ticket with Cisco TAC. This sure looks like a connection problem or authentication problem. What versions of the FMC and eNcore are you running? ... View more

I'm pasting in guidance from the soon to be released operations guide for our next version (3.5.4) Performance and the workerProcesses Option The performance of the eNcore for Splunk add-on has been improved in version 3.5 with the addition of multi-processing. By default, four worker processes operate on the incoming messages to achieve higher throughput. While multiple processes can provide significant performance gains, these gains are highly dependent on the platform because for each platform, the processing bottlenecks may be different. Multiple processes also require additional overhead for managing task distribution, so that increasing the number of processes could actually decrease the performance on platforms with a low number of CPU cores. The number of worker processes is configurable through the workerProcesses parameter in the estreamer.conf configuration file. The number can be set from 1 to 12. Generally, the more capable the platform (i.e., more CPU cores, better I/O, etc.), more throughput is achieved through a higher number of worker processes. However, the only reliable approach is to test performance with various settings such as 1, 2, 4, 8, and 12, and in many cases the best performance may be gained with just one worker process because no process marshalling is required. One scenario for testing is to: 1. Disable the add-on's Data Input in Splunk, because the same events will be requested multiple times during the testing. 2. Configure a set number of workerProcesses (such as 😎 and then start eNcore with a start parameter of 0 (for genesis) or at least an old start time. 3. Request connection events from the FMC (or in some other way request the FMC to send millions of backlogged events). 4. Observe the event rate reported by the monitor process in the estreamer.log file. 5. Repeat the test with a different number of workerProcesses. 6. When the optimal number has been determined, set the workerProcesses to that number and enable the add-on's Data Input to resume production operations. An example of the workerProcesses configuration in the estreamer.conf file is shown here: "workerProcesses": 12 ... View more

How many CPU cores have you allocated to the TA? What sort of event rate does your firepower deployment generate? This could be a simple resource issue. ... View more

The TA simply forwards what its collected from the FMC. I'm not sure there is any practical way to address this short of customizing the TA to delete specific fields. I'll do a little more research. ... View more

Did you get past the password issue? You need authenticate the TA with the FMC or it will not work. ... View more

The current version 3.5.3 of the TA should fix this issue. When it sees an event it cannot properly parse it will write an error and continue collecting events. In previous versions this error would cause the TA to stop. ... View more

Sorry it took forever to respond. You need to install on a HF or use the CLI version. TA on the HF is best. Make sure you're using the latest version of the TA. 3.5.3. ... View more

The Splunk TA only supports a single FMC per instance. There are plans to make it more HA friendly supporting a primary and secondary with event de-duplication but that is not committed to a specific date yet. You need to run a separate instance for each FMC for now. ... View more

This is not supported on Windows, Yet. There will be a developer working on it at the end of the year. I cannot commit to a date yet until it's scoped and know what's involved in getting past the outstanding issues. ... View more

You could edit the bookmark file with the time you want to start from then run it. ... View more

did you get this resolved? ... View more

what version of the FMC are using? Are you using the following TA? https://splunkbase.splunk.com/app/3662/ ... View more

There is no field based criteria you can apply to the estreamer configuration. There is an ugly approach but it has drawbacks. You'd be using syslog instead of estreamer (eNcore) and sending events directly from the sensor. Or you can send syslog from the FMC using correlation rules when the connection event fits a criteria that want. This is very flexible but you overwhelm the FMC is you're dealing with very high rates of connection events. What sort of connection events are you trying to exclude? ... View more

Unfortunately I cannot tell you what changes are added since the 5.4 schema was explained here: Discovery Event: " Configuration: Discovery Event syslog alerts can be configured under Policies > Actions > Alerts by selecting the Discovery Event Alerts tab, selecting the syslog alert you would like use and selecting the types of events that should generate an alert. " Schema: SFIMS: <- From "" at -> IP Address: Port: Service: Confidence: " Example: SFIMS: <*- New TCP Port From "X.X.X.X" at Tue Feb 24 18:59:45 2015 UTC -*> IP Address: X.X.X.X Port: 6370 Service: HTTP Apache Confidence: 50 Intrusion Event: " Configuration: To enable Intrusion Event sysloggin first go to Policies > Intrusion > Intrusion Policy and edit the policy referenced by the Access Control Policy. Click on Advanced Settings and select enabled. Then, click edit and input your sylog server configuration. " Schema: SFIMS: [ ()][][::] "" [Classification: ] User: , Application: , Client: , App Protocol: Interface Ingress: , Interface Egress: , Security Zone Ingress:, Security Zone Egress: , [Priority: ] {} : -> : " Example: SFIMS: [Primary Detection Engine (9882464a-3c3d-11e3-875b-c166af9fa6c0)][Default Security Over Connectivity][1:17392:6] "INDICATOR-SHELLCODE JavaScript var shellcode" [Classification: Executable Code was Detected] User: Unknown, Application: Unknown, Client: Internet Explorer, App Protocol: HTTP Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, [Priority: 1] {TCP} xxx.xx.xx.xx:80 -> xxx.xxx.x.x:1113 Connection Event: " Configuration: To configure connection event syslogging edit an Access Control Policy, and edit each rule that you would like connection event syslogging for, check syslog for the "Send Connection Events to:" section, and select your Syslog alert configuration. " Schema: 5.3.X : [ ()][] Connection Type: , User:, Client:, Application Protocol: , Web App: , Firewall Rule Name: , Firewall Rule Action: , Firewall Rule Reasons:, URL Category: , URL_Reputation: , URL: , Interface Ingress:, Interface Egress:, Security Zone Ingress:, Security Zone Egress:, Security Intelligence Matching IP:, Security Intelligence Category: , {} : ->: 5.4.X : [ ()][] Connection Type: , User:, Client:, Application Protocol: , Web App: , Firewall Rule Name: , Firewall Rule Action: , Firewall Rule Reasons:, URL Category: , URL_Reputation: , URL: , Interface Ingress:, Interface Egress:, Security Zone Ingress:, Security Zone Egress:, Security Intelligence Matching IP:, Security Intelligence Category: ,Client Version: , Number of File Events: , Number of IPS Events: , TCP Flags: , NetBIOS Domain:, Initiator Packets: , Responder Packets: , Initiator Bytes:, Responder Bytes: , Context:, SSL Rule Name: , SSL Flow Status: , SSL Cipher Suite: , SSL Certificate:, SSL Subject CN: , SSL Subject Country: , SSL Subject OU: , SSL Subject Org:, SSL Issuer CN: , SSL Issuer Country:, SSL Issuer OU:, SSL Issuer Org:, SSL Valid Start Date:, SSL Valid End Date:, SSL Version: , SSL Server Certificate Status: , SSL Actual Action:, SSL Expected Action:, SSL Server Name: , SSL URL Category: , SSL Session ID:, SSL Ticket Id:, {} : ->: NOTE: The SSL Fields will be in all connections regardless of whether SSL was used in the connection. " Example: sn54 54DC: [Primary Detection Engine (2c0f417e-bb63-11e4-90aa-a536b3757dce)][Default Access Control] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Cisco, Access Control Rule Name: catchall, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Business and Economy, URL Reputation: Well known, URL:https://nourl.cisco.com, Interface Ingress: eth1, Interface Egress: eth1, Security Zone Ingress: Internal, Security Zone Egress: Internal, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 3, Responder Packets: 1, Initiator Bytes: 727, Responder Bytes: 74, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} X.X.X.X:49205 -> X.X.X.X:443 Health Monitor Event: " Configuration: To configure health monitor syslogging, go to Health > Health Monitor Alerts, select the severities and modules you would like to alert on, name the alert and save. " Schema: : HMNOTIFY: (): Severity: : " Example: dc54 DC54: HMNOTIFY: License Monitor (Sensor dc54.example.com): Severity: warning: Violations due to licenses expiring within 90 days: USER used count will exceed total by 2 licenses. Correlation Event: " Configuration: To configure correlation event syslogging, navigate to Policies > Correlation edit the correlation policy configured, click on the responses icon for the rule you would like syslog alerts from, and select your syslog alert action. " Schema: : Correlation Event: / at " Example: dc54 DC54: Correlation Event: Test Correlation Rule/Test Correlation Policy at Tue Sep 15 13:05:52 2015 UTCConnection Type: FireSIGHT X.X.X.X:45652 (unknown) -> X.X.X.X:443 (united states) (tcp) Impact Alert: " Configuration: To configure impact alert syslogging go to Policies > Actions > Alerts, select Impact Flag Alerts, select your syslog alerting mechanism and the impact flags you would like to alert on. " Schema: : [::] "" [Impact:] From "" at UTC [Classification: ] [Priority: ] {} -> " Example: dc54 DC54: [1:1000000:1] "Ping Test Rule" [Impact: Unknown] From "X.X.X.X" at Tue Sep 15 13:41:52 2015 UTC [Classification: Misc Activity] [Priority: 3] {icmp} X.X.X.X->X.X.X.X Network Malware Event: " Configuration: To configure network malware event syslogging, navigate to Policies > Actions > Alerts, select Advanced Malware Protection Alerts, select your syslog alerting mechanism, and select the types of events you want alerts for. " Schema: : <- Network Based Malware From "" at UTC -> Sha256: Disposition: Threat name: Addresses: " Example: dc54 DC54: <*- Network Based Malware From "X.X.X.X" at Tue Sep 15 14:32:47 2015 UTC -*> Sha256: 00b32c3428362e39e4df2a0c3e0950947c147781fdd3d2ffd0bf5f96989bb002 Disposition: Malware Threat name: W32.Zombies.NotAVirus IP Addresses: X.X.X.X<-X.X.X.X Audit Log Event: " Configuration: To configure audit log event syslogging, navigate to System > Local > System Policy > Audit Log Settings, select the appropriate settings for your environment, click the Save Policy and Exit button, and reapply the System Policy. " Schema: ids.cgi: : user@IP, , " Example: Oct 13 13:54:32 X.X.X.X ids.cgi: Sourcefire3D: admin@X.X.X.X, Policies > Intrusion > Intrusion Policy, Page View ... View more

A new version of eNcore for Splunk is in development. We expect much higher event rates will be supported. Targeting Late April for posting the new version.,A new eNcore for Splunk which will support much higher event rates is in development. Late April we expect to post an updated version. ... View more

Glad you got it working! Doug ... View more

You'll need to uninstall the current 2.2.1 and then download and install 2.2.2 following these instructions: https://splunkbase.splunk.com/app/1629/#/details ... View more

There is a 2.2.2 that fixes a few things. Mainly, an issue with TLS. https://splunkbase.splunk.com/app/1629/ ... View more

If you are using Firepower 6.x you need to use this TA: https://splunkbase.splunk.com/app/3662/ ... View more

If you are using Firepower Version 6.x you need to use this TA: https://splunkbase.splunk.com/app/3662/ ... View more

You need to create a second directory and a second incidence of eNcore in order to collect data from two FMCs. ... View more

Cisco TAC can explain how to access the eStreamer unified2 files. This file stor is not the same as the event database that is accessed when you search events via the UI or when running reports. Its much smaller in terms of the number of events it can queue up as well. ... View more