Probably. I don't if there will be a limit. Most important is the support for HA pairs with the ability to perform event de-duplication so that you don't jam double the events into splunk. ... View more

The new TA and app should be available by the end of April. Doug ... View more

Should be available by the end of April! ... View more

what does it look like in the splunk ui? Does the dashboard there give any other errors? Do you have the right Perl Libraries installed? ... View more

did this get resolved for you? ... View more

Here is what I got back from an expert: I know splunk stores a key in the splunk.secret file on the system which is uses to encrypt ssl passwords on startup however the encryption is limited to ssl passwords that use splunktcp-ssl (i think this is exclusive to data going from splunk to splunk https://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts). We would need to consider this in the new app we build. My understanding on this whole splunk.secret is pretty shaky but from what I understand there is no way to do it unless we change and build the estreamer plugin to accommodate this. ... View more

According to one of the experts here the best and easiest way to fix would be to create a symlink from one directory to the other : ln -s /opt/splunk/splunk/etc/logs /splunkfs/estreamer/logs What the command above is doing is symbolically linking the first directory to the second so the system will think its writing to the former but really writing to the desired latter. ... View more

What disk space is being filled? The Flow data is an all or nothing proposition unless you use the Correlation engine to send you flow data when the flow meets some sort of criteria. ... View more

Unless you create a policy and at least on rule that is triggered there won't be any events. Doug ... View more

Sorry. Go to 'Policies' then Correlation. ... View more

From the top menu, right after login, go to Analysis, then Correlation, then correlation events. You need to create a Correlation Policy, at least one rule for that policy and then apply the correlation policy to the device(s) monitoring that see the traffic you want to monitor. There is quite a bit to do here if you've never done it. You could call TAC and get help on this. They'll be able to get you through all the detail. On Snort rules I'm not sure its the right way. You'd creating a rule to tell yo that a condition occurred which is what's currently happening already with false positives. You could create edit policy around the Src/Dst IPs, somehow exclude them from analysis. But again I'm completely sure if this is the right way to go. ... View more

Have you looked at the correlation engine to craft a special rule whereby you get a 'Correlation Event' when that occurs? This wouldn't eliminate the underlying false positive but it would create a separate event that you could reference. You could search for both and correlate them in Splunk. You could also create custom snort rules but that would depend on exactly what your criteria is. ... View more

Hello and thanks for the question. I remember our discussion from Splunk .conf I think. The API uses a lot of encoding. Example: User 9 = "Jim Smith". An actual user name will get sent to thru the API once and then all subsequent events will just have 'User = 9" . The assumption is that the client will cache a table the says use 'jim smith' when user = 9, the client then writes the event record containing the actual name. The current Splunk app doesn't reliably perform this lookup. It is the goal to do this in future in a new Splunk app expected early next year. ... View more

I may have a fix for you. We have a modified version of the app that forces TLS v1 upon connection to the FMC. Please mail me at dohurd@cisco.com and I can email you the new app. I'll try to post it to Splunk apps today too. ... View more

Once we verify operation on these newer version we'll update the splunk apps page. We don't know of any inherent incompatibilities presently. In our demo lab here at Cisco we are running Firepower 6.0.1 with Splunk 6.4.3 and it works well and there were no install problems. Working on understanding where these errors are coming from. Long term we are looking to have a new app built that updated schema and provides some other features. We may even offer a premium support service (for a modest charge) on the app for customers that want to be able to contact Cisco TAC for assistance. ... View more

The flow on/off switch in the Splunk configuration page will only allow flow data to be sent to the Splunk platform if Connection Events (we used to call them RNA flow events) are enabled at the Firepower Management Center eStreamer configuration page other wise they won't be available to splunk. ... View more

Just the Intrusion Events. I'd recommend you also check Impact Flag, Intrusion Extra data and Intrusion Event Packet Data if you want the packet payload. Leave everything else unchecked. ... View more

Sounds like an installation problem. Did you follow the install guide here: https://splunkbase.splunk.com/app/1629/#/details Sorry if this is a lame response but I have to ask. There just isn't enough in your question to go on. ... View more

Has the IP address of either side of the connection changed during the upgrade? Additionally, have you attempted creating a new client entry in the FMC and downloading the newly created certificate? ... View more

OK good to know. If you can share any specifics or the country it would help me build the case for a new eStreamer app. I can be emailed directly here: dohurd@cisco.com I track this stuff. ... View more

do you still have the problem? What version of Firepower are you using? ... View more

You will need to sun a second instance of the Cisco eStreamer for Splunk app for the second FMC. If the second FMC is part of an HA pair then you will get duplicate events. ... View more

That is correct. The app was built against the 5.4 API specification. New stuff in 6.0 won't be forwarded. What fields are you looking for? Do you know? Doug ... View more