Activity Feed
- Got Karma for Re: Cisco eStreamer eNcore Add-on for Splunk: Does anybody have core Python code running on the Windows servers?. 11-04-2021 03:46 PM
- Posted Re: Cisco Secure eStreamer Client Autolookup estreamer_fw_action commented out on Getting Data In. 07-06-2021 04:42 PM
- Posted Re: Sourcefire Encore data ingestion issue on Getting Data In. 06-29-2021 01:56 PM
- Posted Re: Sourcefire Encore data ingestion issue on Getting Data In. 06-15-2021 02:56 PM
- Got Karma for Re: Cisco eStreamer eNcore Add-on for Splunk: Does anybody have core Python code running on the Windows servers?. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco eNcore: Sample logs. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco eNcore: Sample logs. 06-05-2020 12:49 AM
- Got Karma for Re: Ingesting logs from two eStreamer nodes. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco eStreamer eNcore Add-on for Splunk: Why am I getting this error?. 06-05-2020 12:49 AM
- Got Karma for Re: Estreamer or FMC limitation to ±100GB daily?. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco eStreamer for Splunk: What configurations should I make so that I see only IDS/IPS event logs?. 06-05-2020 12:48 AM
- Got Karma for Re: Cisco eStreamer for Splunk: "Problems starting the eStreamer client". 06-05-2020 12:48 AM
- Got Karma for Re: Cisco eStreamer for Splunk: How to encrypt the certificate password in the estreamer.conf file?. 06-05-2020 12:48 AM
- Got Karma for Re: Can we configure multiple Defense Center's in estreamer app?. 06-05-2020 12:48 AM
- Got Karma for Re: Can we configure multiple Defense Center's in estreamer app?. 06-05-2020 12:48 AM
- Got Karma for Re: Can we configure multiple Defense Center's in estreamer app?. 06-05-2020 12:48 AM
- Got Karma for Re: Cisco eStreamer for Splunk: Why am I receiving a "KeyError: 'elements'" error when trying to access settings?. 06-05-2020 12:48 AM
- Got Karma for Re: Connection error after upgrading to sourcefire 6.0.1.1. 06-05-2020 12:48 AM
- Got Karma for Re: Cisco eStreamer roadmap?. 06-05-2020 12:47 AM
- Got Karma for Re: Does the Cisco eStreamer for Splunk app support retrieving payload for intrusion events?. 06-05-2020 12:47 AM
Topics I've Started
No posts to display.
07-06-2021
04:42 PM
Thanks for the question. A few questions: What event type did you lose the field in? What version of the TA are you using? Please email the details to encore-community@cisco.com for a slight quicker response. Thanks, Doug
... View more
06-29-2021
01:56 PM
Please email a link to this thread to encore-community@cisco.com Thanks, Doug
... View more
06-15-2021
02:56 PM
Thanks for the message! We're looking at it. Appreciate all the details. Doug
... View more
04-25-2020
07:10 PM
this will create a race condition for the "All Time" queries, which are discouraged but still an option
... View more
03-09-2020
10:02 AM
Just need to make sure by 'app' you mean the 3.6.8 TA and you are not referring to the dashboard app, correct?
... View more
01-21-2020
02:25 PM
I'm not the developer for this code but my colleague is and I will chat with him to try to get a detailed technical answer. That said, I think I can give you some important background and shed some light on your question.
In older versions of the eNcore code the Connection Event timestamp we used was derived from the time a connection was concluded. i.e., last packet. This caused some real problems since sometimes connections stay open for a very long time. Seconds? Minutes? Days? Our platform doesn't always age out connections in an orderly process and so we concluded, after a lot of analysis in a few customer environments, that we had to make the initiation of a connection (First packet) the actual timestamp we put in the event.
Not sure if you still think a change to the code is needed. We're open minded.
... View more
11-22-2019
04:13 PM
Thanks for the update. I'll review with our developer.
... View more
11-15-2019
03:05 PM
we've more recently pushed 3.6.8 with more bug fixes.
... View more
11-06-2019
09:21 AM
You definitely need to give it a password.
Where on the heavy forwarder are you copying the certificate? What directory path?
... View more
11-06-2019
09:19 AM
Please update to the latest version of the TA.
https://splunkbase.splunk.com/app/3662/
If you still have the problem just copy / paste new log data in this forum and we'll make a few suggestions.
... View more
10-15-2019
08:09 AM
Yes. We added that switch recently. No plans however to pout any sort of decoder into the app. Its been requested a few times. If we can come up with an easy way we will but its not on the roadmap presently.
... View more
10-14-2019
10:54 AM
3.6.1 has a bug that we discovered on 10/11. We changed default download to 3.5.8. There will be a 3.6.x posted in a few days that will fix the issue.
... View more
09-13-2019
09:20 AM
We don't perform the HEX to ASCII currently but we may insert a switch into the configuration file that does this. Converting to ASCII creates other problems though as there will be many special characters that don't mean anything. Currently, we assume customers use something like wireshark to perform the decode. With our new Splunk app you can right-click from the payload and link back into the FMC's event view for this event and see the packet decoded in the FMC UI.
... View more
07-16-2019
02:34 PM
what version of Firepower? eNcore? When you say app, you mean the TA?
... View more
05-22-2019
07:52 AM
One of our architects here in Cisco tells me that he eliminates DNS requests (Connection Events) from logging and sees a massive reduction.
... View more
05-22-2019
07:51 AM
There is a detailed document on the syslog output. Do you have it?
If you want it please email me dohurd@cisco.com and I'll attach. I cannot attach it here.
Doug
... View more
05-08-2019
09:14 AM
We certainly want to move on from eStreamer and it will eventually be replaced with fully qualified events in clear text like syslog direct from the FMC. We've already begun transitioning by offering syslog off the appliance for Intrusion, Connection and File events. I don't have a solid date on the estreamer API however. We're stuck with it for a while.
A number of customers have asked for support for multiple FMCs from the same TA. There's a hi level design but its not committed yet.
... View more
04-18-2019
08:21 AM
eStreamer doesn't have the smarts i the server side (the FMC) of the API to filter event data. The FMC does support multiple domains so if you have multiple IDS devices you could place them in different domains and use separate estreamer clients (like encore) to collect each customers data.
Other solutions would involve filtering of data on the client side but you'd still be collecting all events for which the policy is set to generate events.
... View more
03-14-2019
02:43 PM
Cisco TAC will help you with this even if the TA is not supported.
Do you have the latest docs? Version 3.5?
... View more
03-14-2019
02:41 PM
BTW, 3.5.4 is now the latest version. Bug fixes and huge performance improvements for multi-core installations. New docs too.
... View more
02-06-2019
03:35 PM
With 6.x firepower you'll want to be on encore version 3.5.4
https://splunkbase.splunk.com/app/3662/
... View more
02-06-2019
03:32 PM
Any chance you had Meta Data switched off on the FMC estreamer configuration page? We haven't seen this on other customer sites.
... View more
02-06-2019
03:29 PM
you have to set $SPLUNK_HOME to the path of where splunk is installed (usually opt/splunk, depends on OS)
Is this where splunk is installed? Did you move to Python 2.7?
... View more
02-06-2019
03:26 PM
If you are using Firepower 6.x then you should use this TA: https://splunkbase.splunk.com/app/3662/ v 3.5.4
And you should use this version of the Dashboard: https://splunkbase.splunk.com/app/3663/ V 3.5.3
2.2.2 is a combined App and TA for Firepower 5.4 customers. It's not going to work well for 6.x customers.
Doug
... View more
